Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
2013: Rest In Peace, Passwords
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
J_Brandt
50%
50%
J_Brandt,
User Rank: Apprentice
12/26/2013 | 10:52:23 AM
Agree.. but
Passwords aren't that bad.  It is the people and process surrounding them that is the real concern.  There have been many good suggestions for passphrases and letter/number substitutions and more.  Some of us have been doing that for a decade.  I find resistance to two tier authentication in most instances because people find it too intrusive.  Google, Twitter and others maybe have the ability for users to engage in a higher level of security, but I have not seen any statistics that indicate it's getting significant use.
mak63
50%
50%
mak63,
User Rank: Apprentice
12/15/2013 | 8:17:56 PM
I hope the author is right.
Even though I've been using -for years- a very good password manager (RoboForm), I agree, old fashion passwords have to go. I personally like some sort of biometrics security. Fingerprint reader (Apple)  is good. Iris scanner (Samsung) seems to be more practical. I like the most voice recognition along with some sort of short pin. Star Trek Voyager fan here
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/12/2013 | 8:01:54 AM
Re: a password alone will not stand
@jasonscott, Those are great suggestions for my post-it note reminder list(ugh!). But why not have two factor authentication with the second factor something besides a password e.g. SMS text + biometric?
jasonscott
100%
0%
jasonscott,
User Rank: Apprentice
12/11/2013 | 1:24:02 PM
Re: a password alone will not stand
First, I don't believe that there's anything inherently wrong with passwords -- they're a good first step at securing things. But, like anything, they aren't perfect.


Adding biometrics or a token as a second factor makes it exponentially harder -- if not impossible -- for some ne'er-do-well to access your stuff.


As for the old practice of writing passwords down ... it's obviously less than ideal. But there is a way to make it safer: when I have to do that, I write only part of the password -- enough to remind me, but not enough to get someone in. Maybe the first and last letters, like M...y (for Mickey), or maybe the initials, if it's a phrase, like T.p.I.j.t.I (This password Is just too Insecure). You get the idea. That way, even if the paper is seen, no one knows the password. I actually go a step farther: I do the same for the system that they're used for -- just some kind of unidentifiable abbreviation. It's not tricky nor foolproof, but I'm not simply giving away access if someone discovers my cheat sheet.
Susan Fogarty
100%
0%
Susan Fogarty,
User Rank: Apprentice
12/10/2013 | 9:20:26 PM
Log out
Another dangerous thing people do, especially on the iPhone, is to remain logged into all their applications all the time. Many websites or apps that handle sensitive data will log you out after a specified time, but you'll stay logged in to Facebook, Gmail, LinkedIn, etc. indefinitely. If you lose you smartphone and all of those are accessible, it doesn't matter if the passwords you set up were good.
dak3
50%
50%
dak3,
User Rank: Moderator
12/10/2013 | 5:54:59 PM
Re: I'm starting a death-of-password list
For the one password you do need to remember, make it a phrase or a line from a song but substitute a number or symbol or two for letters:

 

W1nter W0nderland

 

for example

 

-dave
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
12/10/2013 | 5:46:03 PM
Re: I'm starting a death-of-password list
I could live with passwords becoming irrelevant. 

As for password managers, it's time for a true confession. I tried one once and then I forgot my password. But Dave, on your recommendation, I'll give KeePass a try. :-)
dak3
50%
50%
dak3,
User Rank: Moderator
12/10/2013 | 5:00:59 PM
Re: I'm starting a death-of-password list
Not me! It will Bill Gates almost 10 years ago who predicted the death of the password. I think they'll never day, just hopefully become irrelevant.

 

By the waym I do suggest everyone look into KeePass...
cbabcock
50%
50%
cbabcock,
User Rank: Apprentice
12/10/2013 | 4:43:48 PM
I'm starting a death-of-password list
I will start a list of predictors of the death of the password, with Dave Kearns at the top. Let's see if this list gets as long as the list of those who predicted the death of the mainframe. We better dig in for a long stint of list compilation.

 
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Ninja
12/10/2013 | 4:27:24 PM
Re: A welcome change
I'd expect third-party password management apps to give way to something like KeyChain from Apple.
Page 1 / 2   >   >>


COVID-19: Latest Security News & Commentary
Dark Reading Staff 11/19/2020
New Proposed DNS Security Features Released
Kelly Jackson Higgins, Executive Editor at Dark Reading,  11/19/2020
How to Identify Cobalt Strike on Your Network
Zohar Buber, Security Analyst,  11/18/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: A GONG is as good as a cyber attack.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-25660
PUBLISHED: 2020-11-23
A flaw was found in the Cephx authentication protocol in versions before 15.2.6 and before 14.2.14, where it does not verify Ceph clients correctly and is then vulnerable to replay attacks in Nautilus. This flaw allows an attacker with access to the Ceph cluster network to authenticate with the Ceph...
CVE-2020-25688
PUBLISHED: 2020-11-23
A flaw was found in rhacm versions before 2.0.5 and before 2.1.0. Two internal service APIs were incorrectly provisioned using a test certificate from the source repository. This would result in all installations using the same certificates. If an attacker could observe network traffic internal to a...
CVE-2020-25696
PUBLISHED: 2020-11-23
A flaw was found in the psql interactive terminal of PostgreSQL in versions before 13.1, before 12.5, before 11.10, before 10.15, before 9.6.20 and before 9.5.24. If an interactive psql session uses \gset when querying a compromised server, the attacker can execute arbitrary code as the operating sy...
CVE-2020-26229
PUBLISHED: 2020-11-23
TYPO3 is an open source PHP based web content management system. In TYPO3 from version 10.4.0, and before version 10.4.10, RSS widgets are susceptible to XML external entity processing. This vulnerability is reasonable, but is theoretical - it was not possible to actually reproduce the vulnerability...
CVE-2020-28984
PUBLISHED: 2020-11-23
prive/formulaires/configurer_preferences.php in SPIP before 3.2.8 does not properly validate the couleur, display, display_navigation, display_outils, imessage, and spip_ecran parameters.