Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Weak Password Advice From Microsoft
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/29/2014 | 2:52:57 PM
Re: Important to whom?
Yes, indeed! The PII that is floating around cyberspace is going to be a huge problem (if it isn't already!) We ran a blog on that very topic a few months back that made a very good case about that in What's Worse: Credit Card Or Identity Theft?

 

Andrey Dulkin
50%
50%
Andrey Dulkin,
User Rank: Apprentice
7/29/2014 | 2:20:41 PM
Re: Important to whom?
I agree and would like to highlight another point - while there has been a lot of focus over the last few years on credit card details theft, there wasn't as much discussion of identity thefts. With credit cards, it has become a routine: CC data stolen->the company involved offers credit monitoring services->some people choose to replace their cards, for some the issuers replace them, for most the cards remain active->life goes on. But with identity thefts, people can't simply replace their personal data - their mother's maiden name, the school they went to, their SSN, their government-issued ID and so on. And once these details are out there, one can never know neither who will use them, nor when or for what purpose.
Andrey Dulkin
50%
50%
Andrey Dulkin,
User Rank: Apprentice
7/29/2014 | 2:08:50 PM
Re: password mess
Unfortunately, we won't be able to get rid of passwords until a more secure and at least as user-friendly authentication mechanism is available. Even then, we'll still have all the legacy systems that do not support any other authentication method. Thus, we have to make password authentication as secure as possible, which can be done by engaging all 3 involved parties - the service providers, the organizations and the users. The service providers should employ secure salted hashing schemes, that will make it more difficult for attackers to get to the actual passwords. The organizations should employ automated systems to secure the credentials for their sensitive assets, instead of relying on the users to come up with unique and complex passwords. And the users should be educated about the dangers of password re-use and identity theft, and try to adhere to best practices (and yes, this is probably the weakest link of the scheme...) This approach will make it more difficult for attackers to actually take advantage of their attacks' spoils.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/29/2014 | 9:55:51 AM
Important to whom?
Your point is well-taken Andrey that in terms of risk the calculus of "important" versus "unimportant" is not a simple matter. For the typical user, it's obvious that you will want to protect your credit cards, online banking and financial activities, etc.  with strong passwords. But for more frivolous social activities like FB, Pinterest, etc, the message --- that these sites are gold-mines for hackers -- has not been driven home at all. 
AlkaG040
100%
0%
AlkaG040,
User Rank: Apprentice
7/29/2014 | 8:38:03 AM
Single Sign-on as a solution for passwords
I would say instead of using weak passwords at all, use a Single Sign-on solution to access all your accounts from one dashboard so that you only have to remember one set of credentials instead of many and that's to your SSO provider account.

I personally use Smartsignin by PerfectCloud and I can sign into all my accounts without having to remember my Strong passwords or storing them anywhere - Cloud/System. The best thing is, they don't store my credentials anywhere.
Kelly Jackson Higgins
100%
0%
Kelly Jackson Higgins,
User Rank: Strategist
7/28/2014 | 3:57:22 PM
password mess
I feel like a broken record, always preaching to family and friends the importance of not reusing passwords, creating strong passwords, etc. But the reality is most users continue those bad habits because it's inconvenient and time-consuming to do the right thing. Sure, there are password managers, but not everyone wants to go there. We need to get away from passwords altogether. Scan my eyeball, already.
<<   <   Page 2 / 2


DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Human Nature vs. AI: A False Dichotomy?
John McClurg, Sr. VP & CISO, BlackBerry,  11/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: -when I told you that our cyber-defense was from another age
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15073
PUBLISHED: 2019-11-20
An Open Redirect vulnerability for all browsers in MAIL2000 through version 6.0 and 7.0, which will redirect to a malicious site without authentication. This vulnerability affects many mail system of governments, organizations, companies and universities.
CVE-2019-15072
PUBLISHED: 2019-11-20
The login feature in &quot;/cgi-bin/portal&quot; in MAIL2000 through version 6.0 and 7.0 has a cross-site scripting (XSS) vulnerability, allowing execution of arbitrary code via any parameter. This vulnerability affects many mail system of governments, organizations, companies and universities.
CVE-2019-15071
PUBLISHED: 2019-11-20
The &quot;/cgi-bin/go&quot; page in MAIL2000 through version 6.0 and 7.0 has a cross-site scripting (XSS) vulnerability, allowing execution of arbitrary code via ACTION parameter without authentication. The code can executed for any user accessing the page. This vulnerability affects many mail syste...
CVE-2019-6176
PUBLISHED: 2019-11-20
A potential vulnerability reported in ThinkPad USB-C Dock Firmware version 3.7.2 may allow a denial of service.
CVE-2019-6184
PUBLISHED: 2019-11-20
A potential vulnerability in the discontinued Customer Engagement Service (CCSDK) software version 2.0.21.1 may allow local privilege escalation.