Most of the popular cloud systems are insecure. The recent hack of celebrity accounts, and the subsequent release of nude pictures clearly demonstrate this once again. The problem is that most cloud systems rely on passwords to restrict access to an account. The reason is usability: it allows the account to be accessed from any device. To make this really usable, an easy to remember password needs to be selected. Unfortunately, such passwords can be guessed by brute forced. Of course this can be prevented, for example by restricting the number of times one is allowed to enter a wrong password. But then account recovery strategies, that allow legitimate users to regain access to their account if they forget their password, provide a second avenue of attack.

In other words: user-friendliness kills security. Can this be fixed somehow?

Read the rest of this entry »