Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
The Future of Account Security: A World Without Passwords?
Newest First  |  Oldest First  |  Threaded View
Hackerproof Tech
50%
50%
Hackerproof Tech,
User Rank: Apprentice
10/3/2019 | 2:11:39 PM
Re: What am I missing?
tdsam,

My fundamental belief is that passwords are not an appropriate tool for securing remote access. The issue is not so much as passwords in as much as they can be replaces by biometrics, which has a place, but is not a generic wholesale replacement. It is the entire system of matching static tokens where one static token - bio, nmemonic, poto, password etc. but the fact is that the flaw is not just that they are stored on a server which may be subject to compromise, but that thay can be spoofed a rogue agent.

The need is not for a better password system but method to eliminate matching tokens completely. Regardless of how complicated you make a password system it remains with two very large vulnerabilities. making it more complex makes it more difficult.

 

 
tdsan
100%
0%
tdsan,
User Rank: Ninja
9/30/2019 | 2:26:23 PM
Re: What am I missing?
I agree with you Mr. Tech, lol. This is very generic. There is a company called Beyond-Trust or Cyber-Ark who is doing a pretty good job at securing the environment. The only problem with these technologies, if you set it up in an Active/Passive (A/P) configuration where the primary site gets disconnected, the the other locations won't be able to login and because their passwords are so secure or up to 127 character passwords after you sign in.  The keys will not allow the user to change it from A/P to A/A (Active/Active), so I do think there is a design flaw but they should see it after they get a number complaints.

Now, if the user added BeyondTrust to the cloud, connnected sites to this while at the same creating a Active/Active environment, then I would say yes, this works pretty well as long as the sites have domain controllers on the external sites and they create a trust infrastructure that is not soley dependent on the other.

 

I do think the solutions they have on the market work pretty well, but I don't think they have thought through the contingency planning if something happened to their solution from a corruption standpoint when the software updates itself. But they are moving in the right direction, but this solution is for major institutions who have large amounts of money, from a vendor perspective, it seems we need to take into consideration of the "mom & pop" stores that were mentioned, they may need to wear something around their neck to help them remember or utilize TOTP protocol as a MFA solution, not sure how to handle this, this will take time or alot of hand holding.

T

 
Hackerproof Tech
50%
50%
Hackerproof Tech,
User Rank: Apprentice
9/26/2019 | 1:25:06 PM
What am I missing?
Interesting read, but doesn't pose any new information.

It seems to say, 'we need a better method of identity and authentication than passwords'.

I think that is obvious. Two step and two factor are a PITA, and it's the best you can do.

To assign credit for the invention of the password to Fernando Corbató can only be done by someone who has not seen a WW2 movie.

In fact passwords go back to before the Roman Empire. "Who goes there?" - "I am Spartacus" - "What is the password?" - "Hail Ceasar." - "Enter"

So what am I missing? Or did I get it right?

 

 
REISEN1955
50%
50%
REISEN1955,
User Rank: Ninja
9/25/2019 | 10:49:31 AM
For what it is worth
Two factor at least does some protect and have it aligned with background authority data would be great.  Some sites use excellent qualifications such as Social Security.  Try that one, it asks for loan data for about 10 years on stuff you probably forgot about.  It's damn hard to crack it.  You had a college loan in 2004 - who carried it?  And given that loans are often sold between banks, that can be a killer to get right.  Two factor would help but this is a fine example of multi-data sourcing fo authentication.  


Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-5230
PUBLISHED: 2019-11-13
P20 Pro, P20, Mate RS smartphones with versions earlier than Charlotte-AL00A 9.1.0.321(C00E320R1P1T8), versions earlier than Emily-AL00A 9.1.0.321(C00E320R1P1T8), versions earlier than NEO-AL00D NEO-AL00 9.1.0.321(C786E320R1P1T8) have an improper validation vulnerability. The system does not perform...
CVE-2019-5231
PUBLISHED: 2019-11-13
P30 smartphones with versions earlier than ELLE-AL00B 9.1.0.186(C00E180R2P1) have an improper authorization vulnerability. The software incorrectly performs an authorization check when a user attempts to perform certain action. Successful exploit could allow the attacker to update a crafted package.
CVE-2019-5233
PUBLISHED: 2019-11-13
Huawei smartphones with versions earlier than Taurus-AL00B 10.0.0.41(SP2C00E41R3P2) have an improper authentication vulnerability. Successful exploitation may cause the attacker to access specific components.
CVE-2019-5246
PUBLISHED: 2019-11-13
Smartphones with software of ELLE-AL00B 9.1.0.109(C00E106R1P21), 9.1.0.113(C00E110R1P21), 9.1.0.125(C00E120R1P21), 9.1.0.135(C00E130R1P21), 9.1.0.153(C00E150R1P21), 9.1.0.155(C00E150R1P21), 9.1.0.162(C00E160R2P1) have an insufficient verification vulnerability. The system does not verify certain par...
CVE-2010-4177
PUBLISHED: 2019-11-12
mysql-gui-tools (mysql-query-browser and mysql-admin) before 5.0r14+openSUSE-2.3 exposes the password of a user connected to the MySQL server in clear text form via the list of running processes.