Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
2013: Rest In Peace, Passwords
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
J_Brandt
J_Brandt,
User Rank: Apprentice
12/26/2013 | 10:52:23 AM
Agree.. but
Passwords aren't that bad.  It is the people and process surrounding them that is the real concern.  There have been many good suggestions for passphrases and letter/number substitutions and more.  Some of us have been doing that for a decade.  I find resistance to two tier authentication in most instances because people find it too intrusive.  Google, Twitter and others maybe have the ability for users to engage in a higher level of security, but I have not seen any statistics that indicate it's getting significant use.
mak63
mak63,
User Rank: Apprentice
12/15/2013 | 8:17:56 PM
I hope the author is right.
Even though I've been using -for years- a very good password manager (RoboForm), I agree, old fashion passwords have to go. I personally like some sort of biometrics security. Fingerprint reader (Apple)  is good. Iris scanner (Samsung) seems to be more practical. I like the most voice recognition along with some sort of short pin. Star Trek Voyager fan here
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
12/12/2013 | 8:01:54 AM
Re: a password alone will not stand
@jasonscott, Those are great suggestions for my post-it note reminder list(ugh!). But why not have two factor authentication with the second factor something besides a password e.g. SMS text + biometric?
jasonscott
jasonscott,
User Rank: Apprentice
12/11/2013 | 1:24:02 PM
Re: a password alone will not stand
First, I don't believe that there's anything inherently wrong with passwords -- they're a good first step at securing things. But, like anything, they aren't perfect.


Adding biometrics or a token as a second factor makes it exponentially harder -- if not impossible -- for some ne'er-do-well to access your stuff.


As for the old practice of writing passwords down ... it's obviously less than ideal. But there is a way to make it safer: when I have to do that, I write only part of the password -- enough to remind me, but not enough to get someone in. Maybe the first and last letters, like M...y (for Mickey), or maybe the initials, if it's a phrase, like T.p.I.j.t.I (This password Is just too Insecure). You get the idea. That way, even if the paper is seen, no one knows the password. I actually go a step farther: I do the same for the system that they're used for -- just some kind of unidentifiable abbreviation. It's not tricky nor foolproof, but I'm not simply giving away access if someone discovers my cheat sheet.
Susan Fogarty
Susan Fogarty,
User Rank: Apprentice
12/10/2013 | 9:20:26 PM
Log out
Another dangerous thing people do, especially on the iPhone, is to remain logged into all their applications all the time. Many websites or apps that handle sensitive data will log you out after a specified time, but you'll stay logged in to Facebook, Gmail, LinkedIn, etc. indefinitely. If you lose you smartphone and all of those are accessible, it doesn't matter if the passwords you set up were good.
dak3
dak3,
User Rank: Moderator
12/10/2013 | 5:54:59 PM
Re: I'm starting a death-of-password list
For the one password you do need to remember, make it a phrase or a line from a song but substitute a number or symbol or two for letters:

 

W1nter W0nderland

 

for example

 

-dave
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
12/10/2013 | 5:46:03 PM
Re: I'm starting a death-of-password list
I could live with passwords becoming irrelevant. 

As for password managers, it's time for a true confession. I tried one once and then I forgot my password. But Dave, on your recommendation, I'll give KeePass a try. :-)
dak3
dak3,
User Rank: Moderator
12/10/2013 | 5:00:59 PM
Re: I'm starting a death-of-password list
Not me! It will Bill Gates almost 10 years ago who predicted the death of the password. I think they'll never day, just hopefully become irrelevant.

 

By the waym I do suggest everyone look into KeePass...
cbabcock
cbabcock,
User Rank: Apprentice
12/10/2013 | 4:43:48 PM
I'm starting a death-of-password list
I will start a list of predictors of the death of the password, with Dave Kearns at the top. Let's see if this list gets as long as the list of those who predicted the death of the mainframe. We better dig in for a long stint of list compilation.

 
Thomas Claburn
Thomas Claburn,
User Rank: Ninja
12/10/2013 | 4:27:24 PM
Re: A welcome change
I'd expect third-party password management apps to give way to something like KeyChain from Apple.
Page 1 / 2   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Improving Enterprise Cybersecurity With XDR
Enterprises are looking at eXtended Detection and Response technologies to improve their abilities to detect, and respond to, threats. While endpoint detection and response is not new to enterprise security, organizations have to improve network visibility, expand data collection and expand threat hunting capabilites if they want their XDR deployments to succeed. This issue of Tech Insights also includes: a market overview for XDR from Omdia, questions to ask before deploying XDR, and an XDR primer.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-0624
PUBLISHED: 2022-06-28
Authorization Bypass Through User-Controlled Key in GitHub repository ionicabizau/parse-path prior to 5.0.0.
CVE-2017-20105
PUBLISHED: 2022-06-28
A vulnerability was found in Simplessus 3.7.7. It has been rated as critical. This issue affects some unknown processing. The manipulation of the argument path with the input ..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2f..%2fetc%2fpasswd leads to path traversal. The att...
CVE-2017-20106
PUBLISHED: 2022-06-28
A vulnerability, which was classified as critical, has been found in Lithium Forum 2017 Q1. This issue affects some unknown processing of the component Compose Message Handler. The manipulation of the argument upload_url leads to server-side request forgery. The attack needs to be approached locally...
CVE-2017-20107
PUBLISHED: 2022-06-28
A vulnerability, which was classified as problematic, was found in ShadeYouVPN.com Client 2.0.1.11. Affected is an unknown function. The manipulation leads to improper privilege management. Local access is required to approach this attack. The exploit has been disclosed to the public and may be used...
CVE-2017-20104
PUBLISHED: 2022-06-28
A vulnerability was found in Simplessus 3.7.7. It has been declared as critical. This vulnerability affects unknown code of the component Cookie Handler. The manipulation of the argument UWA_SID leads to sql injection (Time). The attack can be initiated remotely. The exploit has been disclosed to th...