Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

7 Reasons To Love Passwords
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
User Rank: Strategist
10/17/2014 | 2:42:37 PM
Re: Do-it-yourself Passwords are Private
Unfortunately, the landlord has a copy of those same keys. Unless your a home owner, someone has a key to your place and it is out of your control unless you violate the lease. That's just me knitpicking your example, I do fully agree with where you went with it though.

I don't like biometrics as a single source of authentication for those same reasons but I also know the human propencity for being lazy. As long as it takes any level of effort, people will have the same password for everything and it will most likely have to do with their favorite pet or something similar.

I really like the idea of enter your password and wait a couple minutes for a random pin to show up on your cell phone but I think that's overkill for the "Cat Lovers of the Northwest" discussion forums which is a whole other topic all together.
User Rank: Strategist
9/26/2014 | 10:22:45 AM
Re: static passwords offer little to no security no security against modern day harvesting techniques...
this whole post reads like an exceeding long password.
User Rank: Apprentice
9/23/2014 | 3:32:58 PM
Re: Frustration
I hate the maximum number of characters limitation of passwords.  I'd make my passwords really long if they'd let me.
User Rank: Apprentice
9/22/2014 | 1:07:20 PM
Do-it-yourself Passwords are Private
This was implied by your first point, but one of the greatest values in generating your own passwords is that they are truly yours alone, not given to you by others or even warehoused somewhere.  Would you want your door locks installed by local law enforcement officers, or would you give them copies of your keys?  No.  Do you trust them?  Probably, but they don't need your keys (based on least privilege as well as constitutional liberties).  If you have the tools, you don't even need to hire a locksmith.  The same is true with password security; even though it's a big responsibility, users need manage their credentials using self-generated passwords rather than surrender to an outside authority to provide credentials.

It's not just that someone in a place of influence might fraudulently use your credentials.  They may also have the ability to identify you as an individual through your use of credentials they have stored.  This is especially true with biometrics, and if they get widely established as a necessary part of authentication, the loss of privacy will be almost irreversable.
Sara Peters
Sara Peters,
User Rank: Author
9/22/2014 | 12:34:30 PM
Re: Love/Hate relationship
@Robert McDougal  Well I think that's a completely reasonable thing to wish for. It MIGHT happen in your lifetime. I'm thinking positive.
Robert McDougal
Robert McDougal,
User Rank: Ninja
9/22/2014 | 11:53:09 AM
Re: Love/Hate relationship
@Sara Peters I suppose I should clarify, My thought is that passwords should be eliminated as a single factor of authentication.  In a perfect world a password should only be a piece of the puzzle.
Sara Peters
Sara Peters,
User Rank: Author
9/22/2014 | 11:49:58 AM
Re: Love/Hate relationship
@Marilyn  Thanks Marilyn! I think my favorite photo is the one with the two men playing chess in the pool. It looks like that wasn't the first time they'd had that idea.
Sara Peters
Sara Peters,
User Rank: Author
9/22/2014 | 11:47:11 AM
Re: Love/Hate relationship
@Robert McDougal  As you say, " I am not sure that passwords will be completely replaced within my lifetime." I agree with you, but here's another question. Do you think they should be replaced, entirely?
User Rank: Apprentice
9/20/2014 | 5:00:04 PM
static passwords offer little to no security no security against modern day harvesting techniques...
if we can't protect intellectual property, money, personally identifiable information, health information, credit cards/debit cards, etc., then we sure can expect anone to protect scans of our retinas, fingerprints, palm printers, voice prints, facial recognition patterns, dna patterns, etc.  passwords are basically nothing more than a false sense of security and bad people count on them to gain unauthroized access and to be able to move in and out of our electronic systems with ease and undetectable as they are essentially perfect imposters of legitimate authorized users.  the business and consumer cultures of convenience has deeply embedded ease of use by intention into every aspect of corporate and personal computing cultures. To encourage continued use of static passwords is to lead people and corporations into certain contininued victimization.  Technology vendors continue to embed static passwords into every system and product they produce. Again, this is leading to certain breaches in access and victimization. Change has to start somewhere and no better place than the people in their personal lives and in the workplaces they saturate every day.  I personally think that simple substitution methods generating dynamica one time codes are far superior than static codes/static passwords for user authentication controls. fairly new solutions from vendors like Syferlock and SwivelSecure offer human beings some very stong, single factor, token-less, server-side generated, dynamically changing at each loging attempt, humana triggered/executed login authentication for login portals/pages/sites over the internet from either trusted corporate devices or untrusted byod or home devices or public devices that are higly likely already compromised (the devices) with some type credential harvesting or ssl malware-in-the-middle content scanning malware/technology.  User simplicity and convenience and predictability are the things that bad people target and count on. Static passwords are one of those predictable easy to harvest/steal things. we need to be less predictable and we need to not reuse the same password twice when logging into anything.  I have experienced taking away static 8-characters complex passwords from tens of thousands of non-techncial users and replacing them with 5-digit simple one time codes (change every login attempt), single factor, server-side, tokenless authentiation to great success. this approach reduces the users keystrokes to gain access to VPN's, Citrix, Web portals, web apps, etc., by 65% to simply the normal login and increased security by defeating over a dozen common static password credential harvesting techniques. This leaves the bad people unable to imposter legitimate users because they couldn't replay any of the OTC's.  This technique allows us to avoid hard token authenticaiton devices and soft token authentication devices and voice biometrics and SMS codes. the key is to elinimate the static password entry altogether because the static password is still embedded on our servers and in our databases while slowely being replaced by true Single Sign On (SSO) PROTOCOL tokenization and key exchange (not widely adopted yet).  No end user devcie  should be trusted whether owned, deployed, managed and secured by your employer or personall owned and secured.  All end user devices should be assumed untrusted and assumed already compromised. therefore, anthing the users swipes, touches, types, clicks, speaks or gestures into their devices should be assumed intercepted and copied and known by bad people. this is not paranoia. this is the state of reality in the electronic real or cyberspace as we know it. The breaches every day demonstrate this with Target, CHS, Home Depot, etc. traditional Two-Factor and hard tokens and soft tokens and risk based authenticaiton with IP address geo-location and fingerprinting devices have not stopped or even slowed unauthorized access. decpetion of humana beings with social engineering and phishing techniques contine to be very very successful for the bad people. Good people are naive by spillig intimate details of their live onto/into social media sites and services where static passwords allow bad people to harvest not only the good people's static passwords (regaress of how clever and long/strong the passwords or how many passwords there may have) but harvest also enough intimate details for the bad people to be able to answer any security/identity/privacy questionas and answers (challenge/response) controls necessary to reset static passwords, register on new websites, steal identities, etc. across the board.  We have to reverse some of the ease of use and convenience electronic death trap we have set ourselves up for.  We need more innovative can-do thinkers in security and privacy world that see the glass half full and can see new apporaches to tired old problems. we are not winning the access control world. creating one hundred unigue passwords long that is compromsed of very long stringes of complex characters (e.g. letters, numbers, special characters, case sensitive, phrases, etc.) and trying to change those frequently, remember them without writing them down and so on, does not defeat the dozens of credential harvesting techniques that steal a long complex passphrase with the same simple compute effort (tiny compute cost) that they can steal/harvest a short simple one for future playback.  My answer, stop using static passwords/passcodes/passphrases/etc., to login to web sties, web portals, vpn's, citrix sites, etc. Use OTC's from a substituion approch that never requies the end user to reveal through touch, swipe, click, key enter, etc. the secrets behind the substituion method. this can greatly increaset the compute cost of the bad gus to try and back into the secrets needed to defeat the substituion algorithm. there is some practical and powerful crypto strength and security entropy behind this approach. the good news is that this substitution approach is simpler on end users with shorter codes than current static passwords and their hidden secrets don't ever need to revealed in authentication process and they don't need to be changed unless the users desire to. SyferLock is just one technology company that I have had great success with for tens of thousands of non-technical users of all ages, genders and demongraphics. I agree with several of the points of this article about static passwords over biometris and tokens. Biometrics and tokens come with too many downsides for pracical use and if they are compromised, and they most certainly will be, then we can't change our dna and biometric markers like we can static passwords or better yet, one time code secrets and substituion algorithms. I think business people have use hostage to static passwords under the banner that we are all too dumb to try anything else because we are so dumb that any inconvenience will cause us to stop being productive and fill up their help desks with support calls and cost them too much money to change our bad risky behaviors. Humana beings are the top the intellectual/intelligence life form hierarchy. this is undeniable in all history. Let's get the facts and information on the table as security and break free of victim or hostage mentality and point the way to a cheaper, better, simpler, safer, faster way to login and authenticate to things over the internet. i hate passwords for very legitimate rationale logical reasons. they are what bad people use to gain unauthorized access to our personal and professional lives! my discontent with them has driven my focus to find a better alternative. nothing is perfect and neither are substituion methods.  However, it takes a lot of effort and cost for bad people ot defeat them especially where compared to static credentials.  bad people are business people before they are anything else. they can't afford to spend too much on one thing when there are a lot of things much easier to victimize. The story of fast and slow gazelles being chased by lions seems to come to mind right now for some reason.  for those who continue to rely on the fasle sense of security of static passwords/passphrases/passcodes/etc., good luck!  Everyone else will do well to be the gazelle   who is a little bit faster and different than the rest of the herb.  In cyberspace, the predators have no geographic territory boundaries and they never sleep nor ever grow weary and their appetite is never saturated and they can wipe out even the largest herds in one moment of time. they are not like biological predators at all where the biological predators are replete with limitations that allows the vast majority of the herd to always escape. passwords are simply not safe and are easy to harvest and replay in imposter access activites that are virtualy undetectable by today's security technologies. Go forward informed with eyes wide open and avoid saying to yourself that static credentials/passwords are the only choice my employer and cloud provider and web site/portal publishers are offering me so what else can i do?  what else indeed!  if it isn't to start with me and you and the information protection/security industry, then who will start and drive forward this user authentication revolution? This is a consumers world especially in the informaiton age and then internet of things. if it doesn't exist then demand it or invent/create it.  Thanks for the stimulating article and most relevant topic on passwords.  Be agile users with stick and move tactics and embrace change and quick change and chage again and again to keep the enemy guessing and no matter what, don't be predictable.  Chuck.
Robert McDougal
Robert McDougal,
User Rank: Ninja
9/18/2014 | 2:59:01 PM
Re: Love/Hate relationship
Might as well love them, because regardless of how we feel they will be around for a long time.  I am not sure that passwords will be completely replaced within my lifetime.
Page 1 / 2   >   >>

I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
Everything You Need to Know About DNS Attacks
It's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask. Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted. Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences. Cross site scripting (XSS) can be triggered by review volumes. This issue has been fixed in version 4.4.7.
PUBLISHED: 2023-05-26
Django-SES is a drop-in mail backend for Django. The django_ses library implements a mail backend for Django using AWS Simple Email Service. The library exports the `SESEventWebhookView class` intended to receive signed requests from AWS to handle email bounces, subscriptions, etc. These requests ar...
PUBLISHED: 2023-05-26
Highlight is an open source, full-stack monitoring platform. Highlight may record passwords on customer deployments when a password html input is switched to `type="text"` via a javascript "Show Password" button. This differs from the expected behavior which always obfuscates `ty...
PUBLISHED: 2023-05-26
Craft is a CMS for creating custom digital experiences on the web.The platform does not filter input and encode output in Quick Post validation error message, which can deliver an XSS payload. Old CVE fixed the XSS in label HTML but didn’t fix it when clicking save. This issue was...
PUBLISHED: 2023-05-26
GDSDB infinite loop in Wireshark 4.0.0 to 4.0.5 and 3.6.0 to 3.6.13 allows denial of service via packet injection or crafted capture file