static passwords offer little to no security no security against modern day harvesting techniques...
if we can't protect intellectual property, money, personally identifiable information, health information, credit cards/debit cards, etc., then we sure can expect anone to protect scans of our retinas, fingerprints, palm printers, voice prints, facial recognition patterns, dna patterns, etc. passwords are basically nothing more than a false sense of security and bad people count on them to gain unauthroized access and to be able to move in and out of our electronic systems with ease and undetectable as they are essentially perfect imposters of legitimate authorized users. the business and consumer cultures of convenience has deeply embedded ease of use by intention into every aspect of corporate and personal computing cultures. To encourage continued use of static passwords is to lead people and corporations into certain contininued victimization. Technology vendors continue to embed static passwords into every system and product they produce. Again, this is leading to certain breaches in access and victimization. Change has to start somewhere and no better place than the people in their personal lives and in the workplaces they saturate every day. I personally think that simple substitution methods generating dynamica one time codes are far superior than static codes/static passwords for user authentication controls. fairly new solutions from vendors like Syferlock and SwivelSecure offer human beings some very stong, single factor, token-less, server-side generated, dynamically changing at each loging attempt, humana triggered/executed login authentication for login portals/pages/sites over the internet from either trusted corporate devices or untrusted byod or home devices or public devices that are higly likely already compromised (the devices) with some type credential harvesting or ssl malware-in-the-middle content scanning malware/technology. User simplicity and convenience and predictability are the things that bad people target and count on. Static passwords are one of those predictable easy to harvest/steal things. we need to be less predictable and we need to not reuse the same password twice when logging into anything. I have experienced taking away static 8-characters complex passwords from tens of thousands of non-techncial users and replacing them with 5-digit simple one time codes (change every login attempt), single factor, server-side, tokenless authentiation to great success. this approach reduces the users keystrokes to gain access to VPN's, Citrix, Web portals, web apps, etc., by 65% to simply the normal login and increased security by defeating over a dozen common static password credential harvesting techniques. This leaves the bad people unable to imposter legitimate users because they couldn't replay any of the OTC's. This technique allows us to avoid hard token authenticaiton devices and soft token authentication devices and voice biometrics and SMS codes. the key is to elinimate the static password entry altogether because the static password is still embedded on our servers and in our databases while slowely being replaced by true Single Sign On (SSO) PROTOCOL tokenization and key exchange (not widely adopted yet). No end user devcie should be trusted whether owned, deployed, managed and secured by your employer or personall owned and secured. All end user devices should be assumed untrusted and assumed already compromised. therefore, anthing the users swipes, touches, types, clicks, speaks or gestures into their devices should be assumed intercepted and copied and known by bad people. this is not paranoia. this is the state of reality in the electronic real or cyberspace as we know it. The breaches every day demonstrate this with Target, CHS, Home Depot, etc. traditional Two-Factor and hard tokens and soft tokens and risk based authenticaiton with IP address geo-location and fingerprinting devices have not stopped or even slowed unauthorized access. decpetion of humana beings with social engineering and phishing techniques contine to be very very successful for the bad people. Good people are naive by spillig intimate details of their live onto/into social media sites and services where static passwords allow bad people to harvest not only the good people's static passwords (regaress of how clever and long/strong the passwords or how many passwords there may have) but harvest also enough intimate details for the bad people to be able to answer any security/identity/privacy questionas and answers (challenge/response) controls necessary to reset static passwords, register on new websites, steal identities, etc. across the board. We have to reverse some of the ease of use and convenience electronic death trap we have set ourselves up for. We need more innovative can-do thinkers in security and privacy world that see the glass half full and can see new apporaches to tired old problems. we are not winning the access control world. creating one hundred unigue passwords long that is compromsed of very long stringes of complex characters (e.g. letters, numbers, special characters, case sensitive, phrases, etc.) and trying to change those frequently, remember them without writing them down and so on, does not defeat the dozens of credential harvesting techniques that steal a long complex passphrase with the same simple compute effort (tiny compute cost) that they can steal/harvest a short simple one for future playback. My answer, stop using static passwords/passcodes/passphrases/etc., to login to web sties, web portals, vpn's, citrix sites, etc. Use OTC's from a substituion approch that never requies the end user to reveal through touch, swipe, click, key enter, etc. the secrets behind the substituion method. this can greatly increaset the compute cost of the bad gus to try and back into the secrets needed to defeat the substituion algorithm. there is some practical and powerful crypto strength and security entropy behind this approach. the good news is that this substitution approach is simpler on end users with shorter codes than current static passwords and their hidden secrets don't ever need to revealed in authentication process and they don't need to be changed unless the users desire to. SyferLock is just one technology company that I have had great success with for tens of thousands of non-technical users of all ages, genders and demongraphics. I agree with several of the points of this article about static passwords over biometris and tokens. Biometrics and tokens come with too many downsides for pracical use and if they are compromised, and they most certainly will be, then we can't change our dna and biometric markers like we can static passwords or better yet, one time code secrets and substituion algorithms. I think business people have use hostage to static passwords under the banner that we are all too dumb to try anything else because we are so dumb that any inconvenience will cause us to stop being productive and fill up their help desks with support calls and cost them too much money to change our bad risky behaviors. Humana beings are the top the intellectual/intelligence life form hierarchy. this is undeniable in all history. Let's get the facts and information on the table as security and break free of victim or hostage mentality and point the way to a cheaper, better, simpler, safer, faster way to login and authenticate to things over the internet. i hate passwords for very legitimate rationale logical reasons. they are what bad people use to gain unauthorized access to our personal and professional lives! my discontent with them has driven my focus to find a better alternative. nothing is perfect and neither are substituion methods. However, it takes a lot of effort and cost for bad people ot defeat them especially where compared to static credentials. bad people are business people before they are anything else. they can't afford to spend too much on one thing when there are a lot of things much easier to victimize. The story of fast and slow gazelles being chased by lions seems to come to mind right now for some reason. for those who continue to rely on the fasle sense of security of static passwords/passphrases/passcodes/etc., good luck! Everyone else will do well to be the gazelle who is a little bit faster and different than the rest of the herb. In cyberspace, the predators have no geographic territory boundaries and they never sleep nor ever grow weary and their appetite is never saturated and they can wipe out even the largest herds in one moment of time. they are not like biological predators at all where the biological predators are replete with limitations that allows the vast majority of the herd to always escape. passwords are simply not safe and are easy to harvest and replay in imposter access activites that are virtualy undetectable by today's security technologies. Go forward informed with eyes wide open and avoid saying to yourself that static credentials/passwords are the only choice my employer and cloud provider and web site/portal publishers are offering me so what else can i do? what else indeed! if it isn't to start with me and you and the information protection/security industry, then who will start and drive forward this user authentication revolution? This is a consumers world especially in the informaiton age and then internet of things. if it doesn't exist then demand it or invent/create it. Thanks for the stimulating article and most relevant topic on passwords. Be agile users with stick and move tactics and embrace change and quick change and chage again and again to keep the enemy guessing and no matter what, don't be predictable. Chuck.
Everything You Need to Know About DNS AttacksIt's important to understand DNS, potential attacks against it, and the tools and techniques required to defend DNS infrastructure. This report answers all the questions you were afraid to ask.
Domain Name Service (DNS) is a critical part of any organization's digital infrastructure, but it's also one of the least understood. DNS is designed to be invisible to business professionals, IT stakeholders, and many security professionals, but DNS's threat surface is large and widely targeted.
Attackers are causing a great deal of damage with an array of attacks such as denial of service, DNS cache poisoning, DNS hijackin, DNS tunneling, and DNS dangling. They are using DNS infrastructure to take control of inbound and outbound communications and preventing users from accessing the applications they are looking for. To stop attacks on DNS, security teams need to shore up the organization's security hygiene around DNS infrastructure, implement controls such as DNSSEC, and monitor DNS traffic
Incident Readiness and Building Response Playbook
In this special report, learn the Xs and Os of any good security incident readiness and response playbook.
Tweet This
1 Comments
User Rank: Strategist
10/17/2014 | 2:42:37 PM
I don't like biometrics as a single source of authentication for those same reasons but I also know the human propencity for being lazy. As long as it takes any level of effort, people will have the same password for everything and it will most likely have to do with their favorite pet or something similar.
I really like the idea of enter your password and wait a couple minutes for a random pin to show up on your cell phone but I think that's overkill for the "Cat Lovers of the Northwest" discussion forums which is a whole other topic all together.