Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
In Defense Of Passwords
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
CNACHREINER981
CNACHREINER981,
User Rank: Author
9/17/2014 | 4:11:23 PM
Re: passwords
Thomas, Yes! That is a great point, and one I didn't really make strong enough in the article. What alternative is there? Many have said, "passwords are dead" but they don't really present alternatives that are significantly better.... For instance, biometrics. They have they're own problems (can be copied/stolen too, and once lost, can never be used again)... Until someone actually shares an alternative that really is effective, I think blaming the password, rather than our insecure use of them, is the wrong message.
CNACHREINER981
CNACHREINER981,
User Rank: Author
9/17/2014 | 4:08:26 PM
Re: passwords
I didn't have time to talk much about Biometrics, in order to keep the article short, but I'm not an overly huge fan of them. I think biometrics make a good second token, but you shouldn't rely on them allone... Here's why... While it is harder to steal a biometric.... it is possible... There has been many research examples of pulling fingerprints and using latex to recreate them, etc. This is harder, since you have to physically pull a print from somewhere, but it's possible. Also, as I mentioned in the artlcle, the big problem isn't just bad passwrods, it's that bad guys stole password hashes from databases. Biometrics aren't stored as a full copy of a fingerprint, but a digital equivilent.. I wouldn't be surprised if eventually hackers learned to steal this digital equivilents, and reply them. Finally, the main problem with biometrics is there can only be lost once, and then they are worthless. You can change your password but you can't change your fingerprint... if someone pulled your print and could use that to defeat a biometric, you'd have to stop using that fingerprint forever and move to something else...

So again, biometrics make a great additional token, but I think they'd have issues if used as the only authentication mechanism.

 

Cheers,

Corey
CNACHREINER981
CNACHREINER981,
User Rank: Author
9/17/2014 | 4:02:34 PM
Re: passwords
Amen to that brother... there is no silver bullet... 
CNACHREINER981
CNACHREINER981,
User Rank: Author
9/17/2014 | 4:01:51 PM
Re: No password is bad
My favorite trick is simply using an english sentenve with punctuation, and maybe some "7334 [email protected]"

For instance, "My silly r3d dog is so rambunctious!"

The the sentence makes it long and the spaces and punctuation provide extra characters... being a sentence, it's easy for you to remember. The only downside is being longer to type, but trust me, muscle memory works on sentences too...

That said, this doesn't solve the different passord at different resources issue, which I do believe is a big deal. That why, I prefer password managers, and using this sentence trick for my master password....

Cheers,

Corey
CNACHREINER981
CNACHREINER981,
User Rank: Author
9/17/2014 | 3:57:54 PM
Re: Password manager
Sounds like you are doing all the right things. I'm hoping that all web services will adopt two token... Even thought using mobile SMS isn't the most security of the second token options (some Zeus related malware designed to hijack mobiles too), it's much better than nothing, and almost everyone has phone... so it's easy.

Some password managers are doing better at syncing across multiple platforms, so you can use them on mobiles without actually typing anything but the master password...  
2009///M
2009///M,
User Rank: Apprentice
9/17/2014 | 1:23:24 PM
Password manager
I use two factor when possible, but have resorted to a password manager and letting it manage the complex passwords it generates for each site.  When im mobile and not on a PC with the web browser plug in, I use the mobile app to look up the password (which is a pain to retype, due to the complexity).
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
9/17/2014 | 9:55:05 AM
Re: No password is bad
There are not-so-difficult tricks to help users remember complex passwords -- which I'm starting to rely on myself more and more. But to go into every application or web site and change my existing password? Who has the time for that? There should be a way to securely automate the creation of strong passwords for users at the system level. Any password strategy that puts users in change of changing their own behavior is doomed to fail. 
Dr.T
Dr.T,
User Rank: Ninja
9/17/2014 | 8:34:53 AM
Re: passwords
I agree we should not have expectation of security-proof solutions, we have to assume there is always risk being compromised. The risk is never zero. The ultimate solution is in layered approaches when it comes to security.
Dr.T
Dr.T,
User Rank: Ninja
9/17/2014 | 8:31:34 AM
Re: passwords
How about biometric we have been talking about for years, when is it going to be really available for us? Apple complains about users behaviors, I suggest they need to get back to work and find solutions, instead.
Dr.T
Dr.T,
User Rank: Ninja
9/17/2014 | 8:28:41 AM
No password is bad
I like the way that you put it. There is reason why users are defining simple passwords, they can not keep complex passwords in mind and they do not have to. it is not their responsibilities to secure the systems, system architects have to provide solutions that make users life easier and keep system secure.
Page 1 / 2   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Developing and Testing an Effective Breach Response Plan
Whether or not a data breach is a disaster for the organization depends on the security team's response and that is based on how the team developed a breach response plan beforehand and if it was thoroughly tested. Inside this report, experts share how to: -understand the technical environment, -determine what types of incidents would trigger the plan, -know which stakeholders need to be notified and how to do so, -develop steps to contain the breach, collect evidence, and initiate recovery.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-33187
PUBLISHED: 2022-12-09
Brocade SANnav before v2.2.1 logs usernames and encoded passwords in debug-enabled logs. The vulnerability could allow an attacker with admin privilege to read sensitive information.
CVE-2022-38765
PUBLISHED: 2022-12-09
Canon Medical Informatics Vitrea Vision 7.7.76.1 does not adequately enforce access controls. An authenticated user is able to gain unauthorized access to imaging records by tampering with the vitrea-view/studies/search patientId parameter.
CVE-2022-41947
PUBLISHED: 2022-12-08
DHIS 2 is an open source information system for data capture, management, validation, analytics and visualization. Through various features of DHIS2, an authenticated user may be able to upload a file which includes embedded javascript. The user could then potentially trick another authenticated use...
CVE-2022-41948
PUBLISHED: 2022-12-08
DHIS 2 is an open source information system for data capture, management, validation, analytics and visualization. Affected versions are subject to a privilege escalation vulnerability. A DHIS2 user with authority to manage users can assign superuser privileges to themself by manually crafting an HT...
CVE-2022-23469
PUBLISHED: 2022-12-08
Traefik is an open source HTTP reverse proxy and load balancer. Versions prior to 2.9.6 are subject to a potential vulnerability in Traefik displaying the Authorization header in its debug logs. In certain cases, if the log level is set to DEBUG, credentials provided using the Authorization header a...