Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
2013: Rest In Peace, Passwords
Oldest First  |  Newest First  |  Threaded View
Page 1 / 2   >   >>
Kristin Burnham
Kristin Burnham,
User Rank: Apprentice
12/10/2013 | 11:18:15 AM
A welcome change
I welcome this with open arms. Managing passwords has become exhausting and frustrating. I can never remember which variation of which password I've used for which site, and resetting a password every time makes it that much more confusing. It's time for a better solution.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
12/10/2013 | 12:44:17 PM
Re: A welcome change
I second that, Kristen. But, alas, it seems that passwords will be with us for some time still. Hopefully, TFA and biometrics will hurry things along. I sure hope so. I am running out of room on my screen for all my sticky notes. 
anon314159265358
anon314159265358,
User Rank: Apprentice
12/10/2013 | 1:00:07 PM
Passwords, or Multi-Factor?
Passwords will may disappear to a large extent at some point.  What to replace it with?  I like some sort of multi-factor system, e.g., a password, a generated token (app, text, voice), and a biometric (fingerprint, double-iris scan).  You might be able to fake two, but all three is much harder.  The more sensitive the site, the more factors should be required.


There are a couple of things that are being done now.  The Department of Defense has a Common Access Card (CAC), which requires a 4-8 digit PIN to authenticate.  If the PIN is entered wrong three times, the card is useless until it is unlocked by a CAC representative.


Something similar is available now from the Free Software Foundation Europe (FSFE, https://fsfe.org/fellowship/card.en.html).  They issue smart cards to each of their members.  Yes, you can get smart cards cheaper elsewhere, but they come with a pre-assigned key, and you can add your own.  Nicely, they are also printed with your name, so if it is lost, it can (maybe) get back to you.  It also has  PIN, which can be used to lock (or erase) the card if entered incorrectly too many times.


Passwords as the only authentication method?  Nope.  Passwords supported by multi-factor authentication?  Yes.
anon314159265358
anon314159265358,
User Rank: Apprentice
12/10/2013 | 1:05:12 PM
Re: A welcome change
Kristin,


I too have had issues remembering passwords for websites.  I've found the only way to get really good, unique passwords for each site is to use a password manager like LastPass or KeePass.  LastPass is a commercial product, and tends to have more features and updates, while KeePass is open source.  LastPass keeps your passwords in the cloud, KeePass allows you to keep your own encrypted password file.

One of my pet peeves is websites which require you to set a password without telling you what the restrictions are.  So, I come up with this 48-character password, only to find out the password is limited to 16 characters (yes, that's you, Microsoft Outlook.com.), or that it only allows certain special characters, or something else.  Just tell me up front what you expect.  Is that really so hard?
Shane M. O'Neill
Shane M. O'Neill,
User Rank: Apprentice
12/10/2013 | 1:47:35 PM
a password alone will not stand
Looks like a password in tandem with a biometric component or a token will be the new normal. Hopefully soon. It's become clear that a password alone, even a "strong" one, is not enough to secure you. I'm embarrassed to say I still have all my various passwords written on a piece of paper tucked in a book. Time to look into a password manager.
Kristin Burnham
Kristin Burnham,
User Rank: Apprentice
12/10/2013 | 1:52:22 PM
Re: A welcome change
I've never checked out password managers -- I'll have to look at those two suggestions. Thanks for the recommendations!
Thomas Claburn
Thomas Claburn,
User Rank: Ninja
12/10/2013 | 4:27:24 PM
Re: A welcome change
I'd expect third-party password management apps to give way to something like KeyChain from Apple.
cbabcock
cbabcock,
User Rank: Apprentice
12/10/2013 | 4:43:48 PM
I'm starting a death-of-password list
I will start a list of predictors of the death of the password, with Dave Kearns at the top. Let's see if this list gets as long as the list of those who predicted the death of the mainframe. We better dig in for a long stint of list compilation.

 
dak3
dak3,
User Rank: Moderator
12/10/2013 | 5:00:59 PM
Re: I'm starting a death-of-password list
Not me! It will Bill Gates almost 10 years ago who predicted the death of the password. I think they'll never day, just hopefully become irrelevant.

 

By the waym I do suggest everyone look into KeePass...
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
12/10/2013 | 5:46:03 PM
Re: I'm starting a death-of-password list
I could live with passwords becoming irrelevant. 

As for password managers, it's time for a true confession. I tried one once and then I forgot my password. But Dave, on your recommendation, I'll give KeePass a try. :-)
Page 1 / 2   >   >>


Edge-DRsplash-10-edge-articles
I Smell a RAT! New Cybersecurity Threats for the Crypto Industry
David Trepp, Partner, IT Assurance with accounting and advisory firm BPM LLP,  7/9/2021
News
Attacks on Kaseya Servers Led to Ransomware in Less Than 2 Hours
Robert Lemos, Contributing Writer,  7/7/2021
Commentary
It's in the Game (but It Shouldn't Be)
Tal Memran, Cybersecurity Expert, CYE,  7/9/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Improving Enterprise Cybersecurity With XDR
Enterprises are looking at eXtended Detection and Response technologies to improve their abilities to detect, and respond to, threats. While endpoint detection and response is not new to enterprise security, organizations have to improve network visibility, expand data collection and expand threat hunting capabilites if they want their XDR deployments to succeed. This issue of Tech Insights also includes: a market overview for XDR from Omdia, questions to ask before deploying XDR, and an XDR primer.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2022-2206
PUBLISHED: 2022-06-26
Out-of-bounds Read in GitHub repository vim/vim prior to 8.2.
CVE-2022-30932
PUBLISHED: 2022-06-26
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: none. Reason: This candidate was withdrawn by its CNA. Further investigation showed that it was not a security issue. Notes: none.
CVE-2022-34494
PUBLISHED: 2022-06-26
rpmsg_virtio_add_ctrl_dev in drivers/rpmsg/virtio_rpmsg_bus.c in the Linux kernel before 5.18.4 has a double free.
CVE-2022-34495
PUBLISHED: 2022-06-26
rpmsg_probe in drivers/rpmsg/virtio_rpmsg_bus.c in the Linux kernel before 5.18.4 has a double free.
CVE-2020-27509
PUBLISHED: 2022-06-26
Persistent XSS in Galaxkey Secure Mail Client in Galaxkey up to 5.6.11.5 allows an attacker to perform an account takeover by intercepting the HTTP Post request when sending an email and injecting a specially crafted XSS payload in the 'subject' field. The payload executes when the recipient logs in...