Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

7 Reasons To Love Passwords
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
User Rank: Strategist
10/17/2014 | 2:42:37 PM
Re: Do-it-yourself Passwords are Private
Unfortunately, the landlord has a copy of those same keys. Unless your a home owner, someone has a key to your place and it is out of your control unless you violate the lease. That's just me knitpicking your example, I do fully agree with where you went with it though.

I don't like biometrics as a single source of authentication for those same reasons but I also know the human propencity for being lazy. As long as it takes any level of effort, people will have the same password for everything and it will most likely have to do with their favorite pet or something similar.

I really like the idea of enter your password and wait a couple minutes for a random pin to show up on your cell phone but I think that's overkill for the "Cat Lovers of the Northwest" discussion forums which is a whole other topic all together.
User Rank: Strategist
9/26/2014 | 10:22:45 AM
Re: static passwords offer little to no security no security against modern day harvesting techniques...
this whole post reads like an exceeding long password.
User Rank: Apprentice
9/23/2014 | 3:32:58 PM
Re: Frustration
I hate the maximum number of characters limitation of passwords.  I'd make my passwords really long if they'd let me.
User Rank: Apprentice
9/22/2014 | 1:07:20 PM
Do-it-yourself Passwords are Private
This was implied by your first point, but one of the greatest values in generating your own passwords is that they are truly yours alone, not given to you by others or even warehoused somewhere.  Would you want your door locks installed by local law enforcement officers, or would you give them copies of your keys?  No.  Do you trust them?  Probably, but they don't need your keys (based on least privilege as well as constitutional liberties).  If you have the tools, you don't even need to hire a locksmith.  The same is true with password security; even though it's a big responsibility, users need manage their credentials using self-generated passwords rather than surrender to an outside authority to provide credentials.

It's not just that someone in a place of influence might fraudulently use your credentials.  They may also have the ability to identify you as an individual through your use of credentials they have stored.  This is especially true with biometrics, and if they get widely established as a necessary part of authentication, the loss of privacy will be almost irreversable.
Sara Peters
Sara Peters,
User Rank: Author
9/22/2014 | 12:34:30 PM
Re: Love/Hate relationship
@Robert McDougal  Well I think that's a completely reasonable thing to wish for. It MIGHT happen in your lifetime. I'm thinking positive.
Robert McDougal
Robert McDougal,
User Rank: Ninja
9/22/2014 | 11:53:09 AM
Re: Love/Hate relationship
@Sara Peters I suppose I should clarify, My thought is that passwords should be eliminated as a single factor of authentication.  In a perfect world a password should only be a piece of the puzzle.
Sara Peters
Sara Peters,
User Rank: Author
9/22/2014 | 11:49:58 AM
Re: Love/Hate relationship
@Marilyn  Thanks Marilyn! I think my favorite photo is the one with the two men playing chess in the pool. It looks like that wasn't the first time they'd had that idea.
Sara Peters
Sara Peters,
User Rank: Author
9/22/2014 | 11:47:11 AM
Re: Love/Hate relationship
@Robert McDougal  As you say, " I am not sure that passwords will be completely replaced within my lifetime." I agree with you, but here's another question. Do you think they should be replaced, entirely?
User Rank: Apprentice
9/20/2014 | 5:00:04 PM
static passwords offer little to no security no security against modern day harvesting techniques...
if we can't protect intellectual property, money, personally identifiable information, health information, credit cards/debit cards, etc., then we sure can expect anone to protect scans of our retinas, fingerprints, palm printers, voice prints, facial recognition patterns, dna patterns, etc.  passwords are basically nothing more than a false sense of security and bad people count on them to gain unauthroized access and to be able to move in and out of our electronic systems with ease and undetectable as they are essentially perfect imposters of legitimate authorized users.  the business and consumer cultures of convenience has deeply embedded ease of use by intention into every aspect of corporate and personal computing cultures. To encourage continued use of static passwords is to lead people and corporations into certain contininued victimization.  Technology vendors continue to embed static passwords into every system and product they produce. Again, this is leading to certain breaches in access and victimization. Change has to start somewhere and no better place than the people in their personal lives and in the workplaces they saturate every day.  I personally think that simple substitution methods generating dynamica one time codes are far superior than static codes/static passwords for user authentication controls. fairly new solutions from vendors like Syferlock and SwivelSecure offer human beings some very stong, single factor, token-less, server-side generated, dynamically changing at each loging attempt, humana triggered/executed login authentication for login portals/pages/sites over the internet from either trusted corporate devices or untrusted byod or home devices or public devices that are higly likely already compromised (the devices) with some type credential harvesting or ssl malware-in-the-middle content scanning malware/technology.  User simplicity and convenience and predictability are the things that bad people target and count on. Static passwords are one of those predictable easy to harvest/steal things. we need to be less predictable and we need to not reuse the same password twice when logging into anything.  I have experienced taking away static 8-characters complex passwords from tens of thousands of non-techncial users and replacing them with 5-digit simple one time codes (change every login attempt), single factor, server-side, tokenless authentiation to great success. this approach reduces the users keystrokes to gain access to VPN's, Citrix, Web portals, web apps, etc., by 65% to simply the normal login and increased security by defeating over a dozen common static password credential harvesting techniques. This leaves the bad people unable to imposter legitimate users because they couldn't replay any of the OTC's.  This technique allows us to avoid hard token authenticaiton devices and soft token authentication devices and voice biometrics and SMS codes. the key is to elinimate the static password entry altogether because the static password is still embedded on our servers and in our databases while slowely being replaced by true Single Sign On (SSO) PROTOCOL tokenization and key exchange (not widely adopted yet).  No end user devcie  should be trusted whether owned, deployed, managed and secured by your employer or personall owned and secured.  All end user devices should be assumed untrusted and assumed already compromised. therefore, anthing the users swipes, touches, types, clicks, speaks or gestures into their devices should be assumed intercepted and copied and known by bad people. this is not paranoia. this is the state of reality in the electronic real or cyberspace as we know it. The breaches every day demonstrate this with Target, CHS, Home Depot, etc. traditional Two-Factor and hard tokens and soft tokens and risk based authenticaiton with IP address geo-location and fingerprinting devices have not stopped or even slowed unauthorized access. decpetion of humana beings with social engineering and phishing techniques contine to be very very successful for the bad people. Good people are naive by spillig intimate details of their live onto/into social media sites and services where static passwords allow bad people to harvest not only the good people's static passwords (regaress of how clever and long/strong the passwords or how many passwords there may have) but harvest also enough intimate details for the bad people to be able to answer any security/identity/privacy questionas and answers (challenge/response) controls necessary to reset static passwords, register on new websites, steal identities, etc. across the board.  We have to reverse some of the ease of use and convenience electronic death trap we have set ourselves up for.  We need more innovative can-do thinkers in security and privacy world that see the glass half full and can see new apporaches to tired old problems. we are not winning the access control world. creating one hundred unigue passwords long that is compromsed of very long stringes of complex characters (e.g. letters, numbers, special characters, case sensitive, phrases, etc.) and trying to change those frequently, remember them without writing them down and so on, does not defeat the dozens of credential harvesting techniques that steal a long complex passphrase with the same simple compute effort (tiny compute cost) that they can steal/harvest a short simple one for future playback.  My answer, stop using static passwords/passcodes/passphrases/etc., to login to web sties, web portals, vpn's, citrix sites, etc. Use OTC's from a substituion approch that never requies the end user to reveal through touch, swipe, click, key enter, etc. the secrets behind the substituion method. this can greatly increaset the compute cost of the bad gus to try and back into the secrets needed to defeat the substituion algorithm. there is some practical and powerful crypto strength and security entropy behind this approach. the good news is that this substitution approach is simpler on end users with shorter codes than current static passwords and their hidden secrets don't ever need to revealed in authentication process and they don't need to be changed unless the users desire to. SyferLock is just one technology company that I have had great success with for tens of thousands of non-technical users of all ages, genders and demongraphics. I agree with several of the points of this article about static passwords over biometris and tokens. Biometrics and tokens come with too many downsides for pracical use and if they are compromised, and they most certainly will be, then we can't change our dna and biometric markers like we can static passwords or better yet, one time code secrets and substituion algorithms. I think business people have use hostage to static passwords under the banner that we are all too dumb to try anything else because we are so dumb that any inconvenience will cause us to stop being productive and fill up their help desks with support calls and cost them too much money to change our bad risky behaviors. Humana beings are the top the intellectual/intelligence life form hierarchy. this is undeniable in all history. Let's get the facts and information on the table as security and break free of victim or hostage mentality and point the way to a cheaper, better, simpler, safer, faster way to login and authenticate to things over the internet. i hate passwords for very legitimate rationale logical reasons. they are what bad people use to gain unauthorized access to our personal and professional lives! my discontent with them has driven my focus to find a better alternative. nothing is perfect and neither are substituion methods.  However, it takes a lot of effort and cost for bad people ot defeat them especially where compared to static credentials.  bad people are business people before they are anything else. they can't afford to spend too much on one thing when there are a lot of things much easier to victimize. The story of fast and slow gazelles being chased by lions seems to come to mind right now for some reason.  for those who continue to rely on the fasle sense of security of static passwords/passphrases/passcodes/etc., good luck!  Everyone else will do well to be the gazelle   who is a little bit faster and different than the rest of the herb.  In cyberspace, the predators have no geographic territory boundaries and they never sleep nor ever grow weary and their appetite is never saturated and they can wipe out even the largest herds in one moment of time. they are not like biological predators at all where the biological predators are replete with limitations that allows the vast majority of the herd to always escape. passwords are simply not safe and are easy to harvest and replay in imposter access activites that are virtualy undetectable by today's security technologies. Go forward informed with eyes wide open and avoid saying to yourself that static credentials/passwords are the only choice my employer and cloud provider and web site/portal publishers are offering me so what else can i do?  what else indeed!  if it isn't to start with me and you and the information protection/security industry, then who will start and drive forward this user authentication revolution? This is a consumers world especially in the informaiton age and then internet of things. if it doesn't exist then demand it or invent/create it.  Thanks for the stimulating article and most relevant topic on passwords.  Be agile users with stick and move tactics and embrace change and quick change and chage again and again to keep the enemy guessing and no matter what, don't be predictable.  Chuck.
Robert McDougal
Robert McDougal,
User Rank: Ninja
9/18/2014 | 2:59:01 PM
Re: Love/Hate relationship
Might as well love them, because regardless of how we feel they will be around for a long time.  I am not sure that passwords will be completely replaced within my lifetime.
Page 1 / 2   >   >>

I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Current Issue
How Machine Learning, AI & Deep Learning Improve Cybersecurity
Machine intelligence is influencing all aspects of cybersecurity. Organizations are implementing AI-based security to analyze event data using ML models that identify attack patterns and increase automation. Before security teams can take advantage of AI and ML tools, they need to know what is possible. This report covers: -How to assess the vendor's AI/ML claims -Defining success criteria for AI/ML implementations -Challenges when implementing AI
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2022-09-29
In Amazon AWS Redshift JDBC Driver (aka amazon-redshift-jdbc-driver or redshift-jdbc42) before, the Object Factory does not check the class type when instantiating an object from a class name.
PUBLISHED: 2022-09-29
Allocation of Resources Without Limits or Throttling in GitHub repository ikus060/rdiffweb prior to 2.5.0a3.
PUBLISHED: 2022-09-29
Discourse is an open source discussion platform. Starting with version 2.9.0.beta5 and prior to version 2.9.0.beta10, an incomplete quote can generate a JavaScript error which will crash the current page in the browser in some cases. Version 2.9.0.beta10 added a fix and tests to ensure incomplete qu...
PUBLISHED: 2022-09-29
ZKTeco Xiamen Information Technology ZKBio Time 8.0.7 Build: 20220721.14829 was discovered to contain a CSV injection vulnerability. This vulnerability allows attackers to execute arbitrary code via a crafted payload injected into the Content text field of the Add New Message module.
PUBLISHED: 2022-09-29
Discourse is an open source discussion platform. In versions prior to 2.8.9 on the `stable` branch and prior to 2.9.0.beta10 on the `beta` and `tests-passed` branches, a moderator can create new and edit existing themes by using the API when they should not be able to do so. The problem is patched i...