Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Weak Password Advice From Microsoft
Newest First  |  Oldest First  |  Threaded View
<<   <   Page 2 / 2
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/29/2014 | 2:52:57 PM
Re: Important to whom?
Yes, indeed! The PII that is floating around cyberspace is going to be a huge problem (if it isn't already!) We ran a blog on that very topic a few months back that made a very good case about that in What's Worse: Credit Card Or Identity Theft?

 

Andrey Dulkin
50%
50%
Andrey Dulkin,
User Rank: Apprentice
7/29/2014 | 2:20:41 PM
Re: Important to whom?
I agree and would like to highlight another point - while there has been a lot of focus over the last few years on credit card details theft, there wasn't as much discussion of identity thefts. With credit cards, it has become a routine: CC data stolen->the company involved offers credit monitoring services->some people choose to replace their cards, for some the issuers replace them, for most the cards remain active->life goes on. But with identity thefts, people can't simply replace their personal data - their mother's maiden name, the school they went to, their SSN, their government-issued ID and so on. And once these details are out there, one can never know neither who will use them, nor when or for what purpose.
Andrey Dulkin
50%
50%
Andrey Dulkin,
User Rank: Apprentice
7/29/2014 | 2:08:50 PM
Re: password mess
Unfortunately, we won't be able to get rid of passwords until a more secure and at least as user-friendly authentication mechanism is available. Even then, we'll still have all the legacy systems that do not support any other authentication method. Thus, we have to make password authentication as secure as possible, which can be done by engaging all 3 involved parties - the service providers, the organizations and the users. The service providers should employ secure salted hashing schemes, that will make it more difficult for attackers to get to the actual passwords. The organizations should employ automated systems to secure the credentials for their sensitive assets, instead of relying on the users to come up with unique and complex passwords. And the users should be educated about the dangers of password re-use and identity theft, and try to adhere to best practices (and yes, this is probably the weakest link of the scheme...) This approach will make it more difficult for attackers to actually take advantage of their attacks' spoils.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
7/29/2014 | 9:55:51 AM
Important to whom?
Your point is well-taken Andrey that in terms of risk the calculus of "important" versus "unimportant" is not a simple matter. For the typical user, it's obvious that you will want to protect your credit cards, online banking and financial activities, etc.  with strong passwords. But for more frivolous social activities like FB, Pinterest, etc, the message --- that these sites are gold-mines for hackers -- has not been driven home at all. 
AlkaG040
100%
0%
AlkaG040,
User Rank: Apprentice
7/29/2014 | 8:38:03 AM
Single Sign-on as a solution for passwords
I would say instead of using weak passwords at all, use a Single Sign-on solution to access all your accounts from one dashboard so that you only have to remember one set of credentials instead of many and that's to your SSO provider account.

I personally use Smartsignin by PerfectCloud and I can sign into all my accounts without having to remember my Strong passwords or storing them anywhere - Cloud/System. The best thing is, they don't store my credentials anywhere.
Kelly Jackson Higgins
100%
0%
Kelly Jackson Higgins,
User Rank: Strategist
7/28/2014 | 3:57:22 PM
password mess
I feel like a broken record, always preaching to family and friends the importance of not reusing passwords, creating strong passwords, etc. But the reality is most users continue those bad habits because it's inconvenient and time-consuming to do the right thing. Sure, there are password managers, but not everyone wants to go there. We need to get away from passwords altogether. Scan my eyeball, already.
<<   <   Page 2 / 2


Firms Improve Threat Detection but Face Increasingly Disruptive Attacks
Robert Lemos, Contributing Writer,  2/20/2020
Ransomware Damage Hit $11.5B in 2019
Dark Reading Staff 2/20/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
6 Emerging Cyber Threats That Enterprises Face in 2020
This Tech Digest gives an in-depth look at six emerging cyber threats that enterprises could face in 2020. Download your copy today!
Flash Poll
How Enterprises Are Developing and Maintaining Secure Applications
How Enterprises Are Developing and Maintaining Secure Applications
The concept of application security is well known, but application security testing and remediation processes remain unbalanced. Most organizations are confident in their approach to AppSec, although others seem to have no approach at all. Read this report to find out more.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-19668
PUBLISHED: 2020-02-27
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2018-17963. Reason: This candidate is a reservation duplicate of CVE-2018-17963. Notes: All CVE users should reference CVE-2018-17963 instead of this candidate. All references and descriptions in this candidate have been removed to preve...
CVE-2019-12882
PUBLISHED: 2020-02-27
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2017-6363
PUBLISHED: 2020-02-27
** DISPUTED ** In the GD Graphics Library (aka LibGD) through 2.2.5, there is a heap-based buffer over-read in tiffWriter in gd_tiff.c. NOTE: the vendor says &quot;In my opinion this issue should not have a CVE, since the GD and GD2 formats are documented to be 'obsolete, and should only be used for...
CVE-2017-6371
PUBLISHED: 2020-02-27
Synchronet BBS 3.16c for Windows allows remote attackers to cause a denial of service (service crash) via a long string in the HTTP Referer header.
CVE-2017-5861
PUBLISHED: 2020-02-27
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2017-1000020. Reason: This candidate is a reservation duplicate of CVE-2017-1000020. Notes: All CVE users should reference CVE-2017-1000020 instead of this candidate. All references and descriptions in this candidate have been removed to...