I’m going to keep this article from the Miami Herald, so I can forward it to anyone who complains about needing a One-Time-Password to remotely access their employer’s network. I encourage everyone to program a red flag to pop up in your head whenever anything asks you for username/password. Ask yourself…
Do I believe I can trust this physical location
- Is it shared internet and/or computer access?
- Do I trust who had access before me?
Do I believe I can trust this virtual location?
- Is it HTTPS with valid certificate?
- Did I get here from a reliable source?
What would happen if these credentials were compromised?
- Remember many sites will allow a password change while relying on nothing but the belief that only you know the password to your web-mail.
Of course almost all of the long term risk posed by these threats can be mitigated by using a one-time-password. Next time you have to use one thank an Information Security Administrator instead of complaining to one.