Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
In Defense Of Passwords
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
CNACHREINER981
CNACHREINER981,
User Rank: Author
9/17/2014 | 4:11:23 PM
Re: passwords
Thomas, Yes! That is a great point, and one I didn't really make strong enough in the article. What alternative is there? Many have said, "passwords are dead" but they don't really present alternatives that are significantly better.... For instance, biometrics. They have they're own problems (can be copied/stolen too, and once lost, can never be used again)... Until someone actually shares an alternative that really is effective, I think blaming the password, rather than our insecure use of them, is the wrong message.
CNACHREINER981
CNACHREINER981,
User Rank: Author
9/17/2014 | 4:08:26 PM
Re: passwords
I didn't have time to talk much about Biometrics, in order to keep the article short, but I'm not an overly huge fan of them. I think biometrics make a good second token, but you shouldn't rely on them allone... Here's why... While it is harder to steal a biometric.... it is possible... There has been many research examples of pulling fingerprints and using latex to recreate them, etc. This is harder, since you have to physically pull a print from somewhere, but it's possible. Also, as I mentioned in the artlcle, the big problem isn't just bad passwrods, it's that bad guys stole password hashes from databases. Biometrics aren't stored as a full copy of a fingerprint, but a digital equivilent.. I wouldn't be surprised if eventually hackers learned to steal this digital equivilents, and reply them. Finally, the main problem with biometrics is there can only be lost once, and then they are worthless. You can change your password but you can't change your fingerprint... if someone pulled your print and could use that to defeat a biometric, you'd have to stop using that fingerprint forever and move to something else...

So again, biometrics make a great additional token, but I think they'd have issues if used as the only authentication mechanism.

 

Cheers,

Corey
CNACHREINER981
CNACHREINER981,
User Rank: Author
9/17/2014 | 4:02:34 PM
Re: passwords
Amen to that brother... there is no silver bullet... 
CNACHREINER981
CNACHREINER981,
User Rank: Author
9/17/2014 | 4:01:51 PM
Re: No password is bad
My favorite trick is simply using an english sentenve with punctuation, and maybe some "7334 [email protected]"

For instance, "My silly r3d dog is so rambunctious!"

The the sentence makes it long and the spaces and punctuation provide extra characters... being a sentence, it's easy for you to remember. The only downside is being longer to type, but trust me, muscle memory works on sentences too...

That said, this doesn't solve the different passord at different resources issue, which I do believe is a big deal. That why, I prefer password managers, and using this sentence trick for my master password....

Cheers,

Corey
CNACHREINER981
CNACHREINER981,
User Rank: Author
9/17/2014 | 3:57:54 PM
Re: Password manager
Sounds like you are doing all the right things. I'm hoping that all web services will adopt two token... Even thought using mobile SMS isn't the most security of the second token options (some Zeus related malware designed to hijack mobiles too), it's much better than nothing, and almost everyone has phone... so it's easy.

Some password managers are doing better at syncing across multiple platforms, so you can use them on mobiles without actually typing anything but the master password...  
2009///M
2009///M,
User Rank: Apprentice
9/17/2014 | 1:23:24 PM
Password manager
I use two factor when possible, but have resorted to a password manager and letting it manage the complex passwords it generates for each site.  When im mobile and not on a PC with the web browser plug in, I use the mobile app to look up the password (which is a pain to retype, due to the complexity).
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
9/17/2014 | 9:55:05 AM
Re: No password is bad
There are not-so-difficult tricks to help users remember complex passwords -- which I'm starting to rely on myself more and more. But to go into every application or web site and change my existing password? Who has the time for that? There should be a way to securely automate the creation of strong passwords for users at the system level. Any password strategy that puts users in change of changing their own behavior is doomed to fail. 
Dr.T
Dr.T,
User Rank: Ninja
9/17/2014 | 8:34:53 AM
Re: passwords
I agree we should not have expectation of security-proof solutions, we have to assume there is always risk being compromised. The risk is never zero. The ultimate solution is in layered approaches when it comes to security.
Dr.T
Dr.T,
User Rank: Ninja
9/17/2014 | 8:31:34 AM
Re: passwords
How about biometric we have been talking about for years, when is it going to be really available for us? Apple complains about users behaviors, I suggest they need to get back to work and find solutions, instead.
Dr.T
Dr.T,
User Rank: Ninja
9/17/2014 | 8:28:41 AM
No password is bad
I like the way that you put it. There is reason why users are defining simple passwords, they can not keep complex passwords in mind and they do not have to. it is not their responsibilities to secure the systems, system architects have to provide solutions that make users life easier and keep system secure.
Page 1 / 2   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
The Promise and Reality of Cloud Security
Cloud security has been part of the cybersecurity conversation for years but has been on the sidelines for most enterprises. The shift to remote work during the COVID-19 pandemic and digital transformation projects have moved cloud infrastructure front-and-center as enterprises address the associated security risks. This report - a compilation of cutting-edge Black Hat research, in-depth Omdia analysis, and comprehensive Dark Reading reporting - explores how cloud security is rapidly evolving.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-44645
PUBLISHED: 2023-01-31
In Apache Linkis <=1.3.0 when used with the MySQL Connector/J, a deserialization vulnerability with possible remote code execution impact exists when an attacker has write access to a database and configures new datasource with a MySQL data source and malicious parameters. Therefore, the paramete...
CVE-2023-0591
PUBLISHED: 2023-01-31
ubireader_extract_files is vulnerable to path traversal when run against specifically crafted UBIFS files, allowing the attacker to overwrite files outside of the extraction directory (provided the process has write access to that file or directory). This is due to the fact that a node name (dent_no...
CVE-2023-0592
PUBLISHED: 2023-01-31
A path traversal vulnerability affects jefferson's JFFS2 filesystem extractor. By crafting malicious JFFS2 files, attackers could force jefferson to write outside of the extraction directory.This issue affects jefferson: before 0.4.1.
CVE-2023-0593
PUBLISHED: 2023-01-31
A path traversal vulnerability affects yaffshiv YAFFS filesystem extractor. By crafting a malicious YAFFS file, an attacker could force yaffshiv to write outside of the extraction directory. This issue affects yaffshiv up to version 0.1 included, which is the most recent at time of publication.
CVE-2023-24829
PUBLISHED: 2023-01-31
Incorrect Authorization vulnerability in Apache Software Foundation Apache IoTDB.This issue affects the iotdb-web-workbench component from 0.13.0 before 0.13.3. iotdb-web-workbench is an optional component of IoTDB, providing a web console of the database. This problem is fixed from version 0.13.3 o...