Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
2013: Rest In Peace, Passwords
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
J_Brandt
50%
50%
J_Brandt,
User Rank: Apprentice
12/26/2013 | 10:52:23 AM
Agree.. but
Passwords aren't that bad.  It is the people and process surrounding them that is the real concern.  There have been many good suggestions for passphrases and letter/number substitutions and more.  Some of us have been doing that for a decade.  I find resistance to two tier authentication in most instances because people find it too intrusive.  Google, Twitter and others maybe have the ability for users to engage in a higher level of security, but I have not seen any statistics that indicate it's getting significant use.
mak63
50%
50%
mak63,
User Rank: Apprentice
12/15/2013 | 8:17:56 PM
I hope the author is right.
Even though I've been using -for years- a very good password manager (RoboForm), I agree, old fashion passwords have to go. I personally like some sort of biometrics security. Fingerprint reader (Apple)  is good. Iris scanner (Samsung) seems to be more practical. I like the most voice recognition along with some sort of short pin. Star Trek Voyager fan here
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
12/12/2013 | 8:01:54 AM
Re: a password alone will not stand
@jasonscott, Those are great suggestions for my post-it note reminder list(ugh!). But why not have two factor authentication with the second factor something besides a password e.g. SMS text + biometric?
jasonscott
100%
0%
jasonscott,
User Rank: Apprentice
12/11/2013 | 1:24:02 PM
Re: a password alone will not stand
First, I don't believe that there's anything inherently wrong with passwords -- they're a good first step at securing things. But, like anything, they aren't perfect.


Adding biometrics or a token as a second factor makes it exponentially harder -- if not impossible -- for some ne'er-do-well to access your stuff.


As for the old practice of writing passwords down ... it's obviously less than ideal. But there is a way to make it safer: when I have to do that, I write only part of the password -- enough to remind me, but not enough to get someone in. Maybe the first and last letters, like M...y (for Mickey), or maybe the initials, if it's a phrase, like T.p.I.j.t.I (This password Is just too Insecure). You get the idea. That way, even if the paper is seen, no one knows the password. I actually go a step farther: I do the same for the system that they're used for -- just some kind of unidentifiable abbreviation. It's not tricky nor foolproof, but I'm not simply giving away access if someone discovers my cheat sheet.
Susan Fogarty
100%
0%
Susan Fogarty,
User Rank: Apprentice
12/10/2013 | 9:20:26 PM
Log out
Another dangerous thing people do, especially on the iPhone, is to remain logged into all their applications all the time. Many websites or apps that handle sensitive data will log you out after a specified time, but you'll stay logged in to Facebook, Gmail, LinkedIn, etc. indefinitely. If you lose you smartphone and all of those are accessible, it doesn't matter if the passwords you set up were good.
dak3
50%
50%
dak3,
User Rank: Moderator
12/10/2013 | 5:54:59 PM
Re: I'm starting a death-of-password list
For the one password you do need to remember, make it a phrase or a line from a song but substitute a number or symbol or two for letters:

 

W1nter W0nderland

 

for example

 

-dave
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
12/10/2013 | 5:46:03 PM
Re: I'm starting a death-of-password list
I could live with passwords becoming irrelevant. 

As for password managers, it's time for a true confession. I tried one once and then I forgot my password. But Dave, on your recommendation, I'll give KeePass a try. :-)
dak3
50%
50%
dak3,
User Rank: Moderator
12/10/2013 | 5:00:59 PM
Re: I'm starting a death-of-password list
Not me! It will Bill Gates almost 10 years ago who predicted the death of the password. I think they'll never day, just hopefully become irrelevant.

 

By the waym I do suggest everyone look into KeePass...
cbabcock
50%
50%
cbabcock,
User Rank: Apprentice
12/10/2013 | 4:43:48 PM
I'm starting a death-of-password list
I will start a list of predictors of the death of the password, with Dave Kearns at the top. Let's see if this list gets as long as the list of those who predicted the death of the mainframe. We better dig in for a long stint of list compilation.

 
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Ninja
12/10/2013 | 4:27:24 PM
Re: A welcome change
I'd expect third-party password management apps to give way to something like KeyChain from Apple.
Page 1 / 2   >   >>


COVID-19: Latest Security News & Commentary
Dark Reading Staff 7/2/2020
Ripple20 Threatens Increasingly Connected Medical Devices
Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
Dark Reading Staff 6/30/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
The Threat from the Internetand What Your Organization Can Do About It
The Threat from the Internetand What Your Organization Can Do About It
This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-9498
PUBLISHED: 2020-07-02
Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
CVE-2020-3282
PUBLISHED: 2020-07-02
A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
CVE-2020-5909
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
CVE-2020-5910
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
CVE-2020-5911
PUBLISHED: 2020-07-02
In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.