Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
In Defense Of Passwords
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
CNACHREINER981
CNACHREINER981,
User Rank: Author
9/17/2014 | 4:11:23 PM
Re: passwords
Thomas, Yes! That is a great point, and one I didn't really make strong enough in the article. What alternative is there? Many have said, "passwords are dead" but they don't really present alternatives that are significantly better.... For instance, biometrics. They have they're own problems (can be copied/stolen too, and once lost, can never be used again)... Until someone actually shares an alternative that really is effective, I think blaming the password, rather than our insecure use of them, is the wrong message.
CNACHREINER981
CNACHREINER981,
User Rank: Author
9/17/2014 | 4:08:26 PM
Re: passwords
I didn't have time to talk much about Biometrics, in order to keep the article short, but I'm not an overly huge fan of them. I think biometrics make a good second token, but you shouldn't rely on them allone... Here's why... While it is harder to steal a biometric.... it is possible... There has been many research examples of pulling fingerprints and using latex to recreate them, etc. This is harder, since you have to physically pull a print from somewhere, but it's possible. Also, as I mentioned in the artlcle, the big problem isn't just bad passwrods, it's that bad guys stole password hashes from databases. Biometrics aren't stored as a full copy of a fingerprint, but a digital equivilent.. I wouldn't be surprised if eventually hackers learned to steal this digital equivilents, and reply them. Finally, the main problem with biometrics is there can only be lost once, and then they are worthless. You can change your password but you can't change your fingerprint... if someone pulled your print and could use that to defeat a biometric, you'd have to stop using that fingerprint forever and move to something else...

So again, biometrics make a great additional token, but I think they'd have issues if used as the only authentication mechanism.

 

Cheers,

Corey
CNACHREINER981
CNACHREINER981,
User Rank: Author
9/17/2014 | 4:02:34 PM
Re: passwords
Amen to that brother... there is no silver bullet... 
CNACHREINER981
CNACHREINER981,
User Rank: Author
9/17/2014 | 4:01:51 PM
Re: No password is bad
My favorite trick is simply using an english sentenve with punctuation, and maybe some "7334 [email protected]"

For instance, "My silly r3d dog is so rambunctious!"

The the sentence makes it long and the spaces and punctuation provide extra characters... being a sentence, it's easy for you to remember. The only downside is being longer to type, but trust me, muscle memory works on sentences too...

That said, this doesn't solve the different passord at different resources issue, which I do believe is a big deal. That why, I prefer password managers, and using this sentence trick for my master password....

Cheers,

Corey
CNACHREINER981
CNACHREINER981,
User Rank: Author
9/17/2014 | 3:57:54 PM
Re: Password manager
Sounds like you are doing all the right things. I'm hoping that all web services will adopt two token... Even thought using mobile SMS isn't the most security of the second token options (some Zeus related malware designed to hijack mobiles too), it's much better than nothing, and almost everyone has phone... so it's easy.

Some password managers are doing better at syncing across multiple platforms, so you can use them on mobiles without actually typing anything but the master password...  
2009///M
2009///M,
User Rank: Apprentice
9/17/2014 | 1:23:24 PM
Password manager
I use two factor when possible, but have resorted to a password manager and letting it manage the complex passwords it generates for each site.  When im mobile and not on a PC with the web browser plug in, I use the mobile app to look up the password (which is a pain to retype, due to the complexity).
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
9/17/2014 | 9:55:05 AM
Re: No password is bad
There are not-so-difficult tricks to help users remember complex passwords -- which I'm starting to rely on myself more and more. But to go into every application or web site and change my existing password? Who has the time for that? There should be a way to securely automate the creation of strong passwords for users at the system level. Any password strategy that puts users in change of changing their own behavior is doomed to fail. 
Dr.T
Dr.T,
User Rank: Ninja
9/17/2014 | 8:34:53 AM
Re: passwords
I agree we should not have expectation of security-proof solutions, we have to assume there is always risk being compromised. The risk is never zero. The ultimate solution is in layered approaches when it comes to security.
Dr.T
Dr.T,
User Rank: Ninja
9/17/2014 | 8:31:34 AM
Re: passwords
How about biometric we have been talking about for years, when is it going to be really available for us? Apple complains about users behaviors, I suggest they need to get back to work and find solutions, instead.
Dr.T
Dr.T,
User Rank: Ninja
9/17/2014 | 8:28:41 AM
No password is bad
I like the way that you put it. There is reason why users are defining simple passwords, they can not keep complex passwords in mind and they do not have to. it is not their responsibilities to secure the systems, system architects have to provide solutions that make users life easier and keep system secure.
Page 1 / 2   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Improving Enterprise Cybersecurity With XDR
Enterprises are looking at eXtended Detection and Response technologies to improve their abilities to detect, and respond to, threats. While endpoint detection and response is not new to enterprise security, organizations have to improve network visibility, expand data collection and expand threat hunting capabilites if they want their XDR deployments to succeed. This issue of Tech Insights also includes: a market overview for XDR from Omdia, questions to ask before deploying XDR, and an XDR primer.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-34835
PUBLISHED: 2022-06-30
In Das U-Boot through 2022.07-rc5, an integer signedness error and resultant stack-based buffer overflow in the "i2c md" command enables the corruption of the return address pointer of the do_i2c_md function.
CVE-2021-40597
PUBLISHED: 2022-06-29
The firmware of EDIMAX IC-3140W Version 3.11 is hardcoded with Administrator username and password.
CVE-2022-30467
PUBLISHED: 2022-06-29
Joy ebike Wolf Manufacturing year 2022 is vulnerable to Denial of service, which allows remote attackers to jam the key fob request via RF.
CVE-2022-33061
PUBLISHED: 2022-06-29
Online Railway Reservation System v1.0 was discovered to contain a SQL injection vulnerability via the id parameter at /classes/Master.php?f=delete_service.
CVE-2022-2073
PUBLISHED: 2022-06-29
Code Injection in GitHub repository getgrav/grav prior to 1.7.34.