Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
In Defense Of Passwords
Oldest First  |  Newest First  |  Threaded View
<<   <   Page 2 / 2
CNACHREINER981
CNACHREINER981,
User Rank: Author
9/17/2014 | 4:08:26 PM
Re: passwords
I didn't have time to talk much about Biometrics, in order to keep the article short, but I'm not an overly huge fan of them. I think biometrics make a good second token, but you shouldn't rely on them allone... Here's why... While it is harder to steal a biometric.... it is possible... There has been many research examples of pulling fingerprints and using latex to recreate them, etc. This is harder, since you have to physically pull a print from somewhere, but it's possible. Also, as I mentioned in the artlcle, the big problem isn't just bad passwrods, it's that bad guys stole password hashes from databases. Biometrics aren't stored as a full copy of a fingerprint, but a digital equivilent.. I wouldn't be surprised if eventually hackers learned to steal this digital equivilents, and reply them. Finally, the main problem with biometrics is there can only be lost once, and then they are worthless. You can change your password but you can't change your fingerprint... if someone pulled your print and could use that to defeat a biometric, you'd have to stop using that fingerprint forever and move to something else...

So again, biometrics make a great additional token, but I think they'd have issues if used as the only authentication mechanism.

 

Cheers,

Corey
CNACHREINER981
CNACHREINER981,
User Rank: Author
9/17/2014 | 4:11:23 PM
Re: passwords
Thomas, Yes! That is a great point, and one I didn't really make strong enough in the article. What alternative is there? Many have said, "passwords are dead" but they don't really present alternatives that are significantly better.... For instance, biometrics. They have they're own problems (can be copied/stolen too, and once lost, can never be used again)... Until someone actually shares an alternative that really is effective, I think blaming the password, rather than our insecure use of them, is the wrong message.
<<   <   Page 2 / 2


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Developing and Testing an Effective Breach Response Plan
Whether or not a data breach is a disaster for the organization depends on the security team's response and that is based on how the team developed a breach response plan beforehand and if it was thoroughly tested. Inside this report, experts share how to: -understand the technical environment, -determine what types of incidents would trigger the plan, -know which stakeholders need to be notified and how to do so, -develop steps to contain the breach, collect evidence, and initiate recovery.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-46366
PUBLISHED: 2022-12-02
** UNSUPPORTED WHEN ASSIGNED ** Apache Tapestry 3.x allows deserialization of untrusted data, leading to remote code execution. This issue is similar to but distinct from CVE-2020-17531, which applies the the (also unsupported) 4.x version line. NOTE: This vulnerability only affects Apache Tapestry ...
CVE-2022-4270
PUBLISHED: 2022-12-02
Incorrect privilege assignment issue in M-Files Web in M-Files Web versions before 22.5.11436.1 could have changed permissions accidentally.
CVE-2022-2807
PUBLISHED: 2022-12-02
Algan Yaz&Atilde;&bdquo;&Acirc;&plusmn;l&Atilde;&bdquo;&Acirc;&plusmn;m Prens Student Information System product has an unauthenticated SQL Injection vulnerability.
CVE-2022-2808
PUBLISHED: 2022-12-02
Algan Yaz?l?m Prens Student Information System product has an authenticated Insecure Direct Object Reference (IDOR) vulnerability.
CVE-2022-44929
PUBLISHED: 2022-12-02
An access control issue in D-Link DVG-G5402SP GE_1.03 allows unauthenticated attackers to escalate privileges via arbitrarily editing VoIP SIB profiles.