Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
More than Half of Security Pros Rarely Change their Social Network Passwords
Newest First  |  Oldest First  |  Threaded View
Joe Stanganelli
50%
50%
Joe Stanganelli,
User Rank: Ninja
4/7/2017 | 1:23:49 PM
Red Herring
This is a red herring issue, I strongly suspect.

Talk to most die-hard security pros -- the really good ones, and the ones who do nothing OTHER than cybersecurity for a living -- and their use of social networks is minimal (if not non-existent).  Moreover, they put minimal -- if any -- true PII on those social networks.  So their risk is already quite small.

Moreover, it is becoming increasingly the viewpoint of the top InfoSec pros and punditry that changing passwords frequently is NOT a best practice -- and can actually be detrimental.

The study may be headline grabbing, but I am unconcerned.
AndrewfOP
50%
50%
AndrewfOP,
User Rank: Moderator
4/4/2017 | 1:13:36 PM
Problematic Password Practice Advice
Clearly, if security pros can't follow their own advice, it just means the advice itself was problematic.  Secure IT policy should be clear and easy to follow, otherwise IT/Security team is obviously not doing, or not able to do its job.  One account with periodic password change is difficult enough.  Keeping good tracks of multiple accounts as with most of office working environment is practically impossible. 

Single sign-on/ password vaults, or one single password for all accounts, essentially presents the same security weak point.  The only way to maintain the good security should be user behavior tracking and analysis: any excessive access entries outside of users' normal work environment, excessive access outside normal work hours or excessive amount of access entries are potential breaches to look out for.

Continued reliance on difficult to follow password practices would only weaken IT security in the long run regardless of any potential technology that could replace passwords.
lakers85
50%
50%
lakers85,
User Rank: Strategist
4/3/2017 | 12:42:39 PM
Password Vaults
Any recomendations on Password Vaults? What if they are breached? Who watches the watchers?
Breezcar
50%
50%
Breezcar,
User Rank: Apprentice
4/3/2017 | 11:14:58 AM
I agree
I should change more often also


Why Vulnerable Code Is Shipped Knowingly
Chris Eng, Chief Research Officer, Veracode,  11/30/2020
Inside North Korea's Rapid Evolution to Cyber Superpower
Kelly Sheridan, Staff Editor, Dark Reading,  12/1/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-29565
PUBLISHED: 2020-12-04
An issue was discovered in OpenStack Horizon before 15.3.2, 16.x before 16.2.1, 17.x and 18.x before 18.3.3, 18.4.x, and 18.5.x. There is a lack of validation of the "next" parameter, which would allow someone to supply a malicious URL in Horizon that can cause an automatic redirect to the...
CVE-2020-5675
PUBLISHED: 2020-12-04
Out-of-bounds read issue in GT21 model of GOT2000 series (GT2107-WTBD all versions, GT2107-WTSD all versions, GT2104-RTBD all versions, GT2104-PMBD all versions, and GT2103-PMBD all versions), GS21 model of GOT series (GS2110-WTBD all versions and GS2107-WTBD all versions), and Tension Controller LE...
CVE-2020-29562
PUBLISHED: 2020-12-04
The iconv function in the GNU C Library (aka glibc or libc6) 2.30 to 2.32, when converting UCS4 text containing an irreversible character, fails an assertion in the code path and aborts the program, potentially resulting in a denial of service.
CVE-2020-28916
PUBLISHED: 2020-12-04
hw/net/e1000e_core.c in QEMU 5.0.0 has an infinite loop via an RX descriptor with a NULL buffer address.
CVE-2020-29561
PUBLISHED: 2020-12-04
An issue was discovered in SonicBOOM riscv-boom 3.0.0. For LR, it does not avoid acquiring a reservation in the case where a load translates successfully but still generates an exception.