Security. When is it overkill?

This blog post is more than two years old. It is preserved here in the hope that it is useful to someone, but please be aware that links may be broken and that opinions expressed here may not reflect my current views. If this is a technical article, it may no longer reflect current best practice.

My answer to this question is usually never for anything I’m setting up for myself, as long as it’s economically viable and allows me timely access to any data, process or network I need to access. I haven’t, for example, decided to live in a fallout shelter with a huge bulkhead door as the only entrance to keep anyone from gaining physical access to my computer. If it was economically viable though, I would. There is always a trade-off with security against convienience but deliberately introducing flaws in the security of a system purely for convinience doesn’t seem like a good idea to me.

In an extremely convienient world, we would be able to sit in front of any terminal and have unrestricted access to any other system, its IO and the data it holds. This is clearly a bad idea.

In an extremely secure world, we wouldn’t be able to sit in front of any terminal. All computers would be unplugged from power and any network and encased in epoxy resin so that any attempt to gain physical access would irecovably break the machine trying to be accessed. This is clearly a bad idea.

Passwords, PIN numbers and pass phrases are the most used solution for authentication today and yet they are flawed. One of the most simple attacks that can be performed when trying to gain access to a system is a replay attack. All an attacker would need to gain is the password. Think of how many devices you enter a password into every day. I know that I use University computers, cash points, telephone banking and code lock doors. These are just some examples of systems that I have no control over at all. A keylogger, camera, or person looking over my shoulder could capture the passwords I use on any of these devices and gain the same access as I gain with that password. Why do we keep using them? Convinience.

Cryptographic approaches to security are far more secure and have the potential to be convinient. The OpenPGP card is a great example of a solution I approve of. It can be used to authenticate to a system in a way that, without the card, it would not be possible to replay. The card itself generates an authentication token in response to a request but the key used to generate the token never leaves the card. This card could easily be carried in a wallet, integrated into an existing ID card provided by your employer or University, or cut down into a SIM card size and placed in a USB stick on a keyring.

HSBC recently introduced this style of “two-factor authentication” for access to online banking within the UK. They did it wrong though. They provided me with a small keypad which generates one-time use keys. I need to have both the keyring and my password and the PIN for the keyring to authenticate. That part was all good, but the form factor of the keyring led it to be lost amongst the mess of my office, my backpack or my bedroom for 99% of the time. I got so fed up with it that I am now closing my HSBC account. It did not even close the password hole, as if my password was accquired, anyone could still use the telephone banking to gain the same level of access to my account without the keypad.

When security is done right, it is not necessary to lose convinience. When it’s done wrong, I can see it making people start to ask if they can go back to just having a password, when this is not the real problem that needs to be tackled.

If you would like to contact me with comments, please send me an email.
If you would like to support my free software work, you can support me on Patreon or donate via PayPal.