Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
In Defense Of Passwords
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
CNACHREINER981
CNACHREINER981,
User Rank: Author
9/17/2014 | 4:11:23 PM
Re: passwords
Thomas, Yes! That is a great point, and one I didn't really make strong enough in the article. What alternative is there? Many have said, "passwords are dead" but they don't really present alternatives that are significantly better.... For instance, biometrics. They have they're own problems (can be copied/stolen too, and once lost, can never be used again)... Until someone actually shares an alternative that really is effective, I think blaming the password, rather than our insecure use of them, is the wrong message.
CNACHREINER981
CNACHREINER981,
User Rank: Author
9/17/2014 | 4:08:26 PM
Re: passwords
I didn't have time to talk much about Biometrics, in order to keep the article short, but I'm not an overly huge fan of them. I think biometrics make a good second token, but you shouldn't rely on them allone... Here's why... While it is harder to steal a biometric.... it is possible... There has been many research examples of pulling fingerprints and using latex to recreate them, etc. This is harder, since you have to physically pull a print from somewhere, but it's possible. Also, as I mentioned in the artlcle, the big problem isn't just bad passwrods, it's that bad guys stole password hashes from databases. Biometrics aren't stored as a full copy of a fingerprint, but a digital equivilent.. I wouldn't be surprised if eventually hackers learned to steal this digital equivilents, and reply them. Finally, the main problem with biometrics is there can only be lost once, and then they are worthless. You can change your password but you can't change your fingerprint... if someone pulled your print and could use that to defeat a biometric, you'd have to stop using that fingerprint forever and move to something else...

So again, biometrics make a great additional token, but I think they'd have issues if used as the only authentication mechanism.

 

Cheers,

Corey
CNACHREINER981
CNACHREINER981,
User Rank: Author
9/17/2014 | 4:02:34 PM
Re: passwords
Amen to that brother... there is no silver bullet... 
CNACHREINER981
CNACHREINER981,
User Rank: Author
9/17/2014 | 4:01:51 PM
Re: No password is bad
My favorite trick is simply using an english sentenve with punctuation, and maybe some "7334 [email protected]"

For instance, "My silly r3d dog is so rambunctious!"

The the sentence makes it long and the spaces and punctuation provide extra characters... being a sentence, it's easy for you to remember. The only downside is being longer to type, but trust me, muscle memory works on sentences too...

That said, this doesn't solve the different passord at different resources issue, which I do believe is a big deal. That why, I prefer password managers, and using this sentence trick for my master password....

Cheers,

Corey
CNACHREINER981
CNACHREINER981,
User Rank: Author
9/17/2014 | 3:57:54 PM
Re: Password manager
Sounds like you are doing all the right things. I'm hoping that all web services will adopt two token... Even thought using mobile SMS isn't the most security of the second token options (some Zeus related malware designed to hijack mobiles too), it's much better than nothing, and almost everyone has phone... so it's easy.

Some password managers are doing better at syncing across multiple platforms, so you can use them on mobiles without actually typing anything but the master password...  
2009///M
2009///M,
User Rank: Apprentice
9/17/2014 | 1:23:24 PM
Password manager
I use two factor when possible, but have resorted to a password manager and letting it manage the complex passwords it generates for each site.  When im mobile and not on a PC with the web browser plug in, I use the mobile app to look up the password (which is a pain to retype, due to the complexity).
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
9/17/2014 | 9:55:05 AM
Re: No password is bad
There are not-so-difficult tricks to help users remember complex passwords -- which I'm starting to rely on myself more and more. But to go into every application or web site and change my existing password? Who has the time for that? There should be a way to securely automate the creation of strong passwords for users at the system level. Any password strategy that puts users in change of changing their own behavior is doomed to fail. 
Dr.T
Dr.T,
User Rank: Ninja
9/17/2014 | 8:34:53 AM
Re: passwords
I agree we should not have expectation of security-proof solutions, we have to assume there is always risk being compromised. The risk is never zero. The ultimate solution is in layered approaches when it comes to security.
Dr.T
Dr.T,
User Rank: Ninja
9/17/2014 | 8:31:34 AM
Re: passwords
How about biometric we have been talking about for years, when is it going to be really available for us? Apple complains about users behaviors, I suggest they need to get back to work and find solutions, instead.
Dr.T
Dr.T,
User Rank: Ninja
9/17/2014 | 8:28:41 AM
No password is bad
I like the way that you put it. There is reason why users are defining simple passwords, they can not keep complex passwords in mind and they do not have to. it is not their responsibilities to secure the systems, system architects have to provide solutions that make users life easier and keep system secure.
Page 1 / 2   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Developing and Testing an Effective Breach Response Plan
Whether or not a data breach is a disaster for the organization depends on the security team's response and that is based on how the team developed a breach response plan beforehand and if it was thoroughly tested. Inside this report, experts share how to: -understand the technical environment, -determine what types of incidents would trigger the plan, -know which stakeholders need to be notified and how to do so, -develop steps to contain the breach, collect evidence, and initiate recovery.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-46411
PUBLISHED: 2022-12-04
An issue was discovered in Veritas NetBackup Flex Scale through 3.0 and Access Appliance through 8.0.100. A default password is persisted after installation and may be discovered and used to escalate privileges.
CVE-2022-46412
PUBLISHED: 2022-12-04
An issue was discovered in Veritas NetBackup Flex Scale through 3.0. A non-privileged user may escape a restricted shell and execute privileged commands.
CVE-2022-46413
PUBLISHED: 2022-12-04
An issue was discovered in Veritas NetBackup Flex Scale through 3.0 and Access Appliance through 8.0.100. Authenticated remote command execution can occur via the management portal.
CVE-2022-46414
PUBLISHED: 2022-12-04
An issue was discovered in Veritas NetBackup Flex Scale through 3.0 and Access Appliance through 8.0.100. Unauthenticated remote command execution can occur via the management portal.
CVE-2022-44721
PUBLISHED: 2022-12-04
CrowdStrike Falcon 6.44.15806 allows an administrative attacker to uninstall Falcon Sensor, bypassing the intended protection mechanism in which uninstallation requires possessing a one-time token. (The sensor is managed at the kernel level.)