back to article Israel cyber chief's 'pants' analogy for password security deemed, well, 'pants'

Israel's newly appointed cyber chief has raised eyebrows by offering questionable password advice during a high-profile presentation. Yigal Unna, Director General, Israel National Cyber Directorate, joked that passwords should be treated like underpants: changed often and never shared. His point was contained in a slide …

Anonymous Coward

passwords should be treated like underpants

Twice a year is reasonable to me.

20
0
Anonymous Coward

Re: passwords should be treated like underpants

6 months one way round, then 6 months turned inside out, surely!

22
0
Anonymous Coward

Re: passwords should be treated like underpants

I like your thinking.

3
0

Re: passwords should be treated like underpants

Two years! 6 months one way round, six months the other way round. Then turn them inside out and 6 months one way round, six months the other way round.

Why doesn't anybody want to sit next to me?

13
0
Silver badge

Re: passwords should be treated like underpants

So something like this then:

passw0rd

dr0wssap

dɐssʍ0ɹp

pɹ0ʍssɐd

20
0

Re: passwords should be treated like underpants

How do you do the 180-degrees word flip? I looked it up with a character map but couldn't find it!

1
0
Silver badge

Re: passwords should be treated like underpants

Wrinkly and smelly, and crackle when you bend them?

5
0
Silver badge
Coat

Re: passwords should be treated like underpants

Oh you are one of those types who can be smelt from the other side of the building.

2
1

Re: passwords should be treated like underpants

Oh, you are one of those types that doesn't like the way humans smell.

1
2
Silver badge

Re: passwords should be treated like underpants

Oddly I don't find the smell or urine that nice.

0
0
Silver badge
Boffin

Re: passwords should be treated like underpants

How do you do the 180-degrees word flip?

/ɯoɔ˙ʇxǝʇuʍopǝpᴉsdn˙ʍʍʍ//:dʇʇɥ

3
0
Anonymous Coward

Password Security

Now why would "Israel's newly appointed cyber chief" suggest, in public, a password process which is not secure?

*

Guess!!

23
1

Re: Password Security

Errrm, umm ... "thinking"

.

.

Ah! Got it now!

[SBILPS(0) redacted]!

Wait, what the ...

[SBILPS redacted]

(0): Shin Bet Intelligence Leak Prevention System

4
1
Joke

Pants, eh?

So... where's the Government-mandated back door?

22
0
Silver badge

Re: Pants, eh?

Come on, not all of us buy pants from Ann Summers.

13
1
Coat

Re: Pants, eh?

I can always get you a pair for Christmas :-D

4
0
Anonymous Coward

Re: Pants, eh?

If only there was some sort of plug to stop them.

6
0
Joke

Re: Pants, eh?

The "back door" appears when you put the pants on backwards!

1
0

Re: Pants, eh?

Some sort of plug?

Yep, you're right; no "butts" about it!

3
0
Silver badge
Facepalm

Advice: Use a password manager

Oh goody, lots of password managers to choose from, all which promise to keep all my passwords nice and secure so they must be good ... I'll pick one ... eany meany miney doh!

At which point do I trust one organisation, of which I have no specialist knowledge at all, with all my passwords? The only time this would be good advice is when I was running the password manager company and either I was (a) completely legit and wanted to help the world or (b) completely bogus and wanted to trawl as many passwords as possible. The third option is obviously good intentions plus more security holes than a Trump policy statement allowing access to miscreants anyway.

I don't have a solution but tell me how to find a trustworthy password manager ... and, before someone says it, reading a.n.other's 'reviews' is not a good way of assessing data security, neither is having 'an encrypted database' if the NSA decode and clone it every day, nor is having a local database if the app "updates regularly" by uploading unencryped password data to a C&C server ...

9
4
Anonymous Coward

Re: Advice: Use a password manager

You don't trust them with everything, you ensure the route to changing the passwords is controlled by you e.g. you do not let them know your passwords for e-mail accounts, domain management etc.

That way should/when they are breached you are able to chance those passwords without too much hassle, you should also have a separate list of what services you change first kept offline e.g. banks, insurance companies, utilities, shopping accounts, healthcare services etc.

It's about risk, there's less risk with using a password manager, but the type of risks change.

3
0
Silver badge
Pint

Re: Advice: Use a password manager

Yes its called a paper book, its not convenient compared to software but actually its what I recommend to older computer users (As password software tends to confuse).

Sorry I just realised I called you old, have a beer icon.

3
0
ds6

Re: Advice: Use a password manager

You seem to assume "password manager" means a central server. It is terrifying and depressing to me that is anyone's first thought.

Rather, use a local solution. Use KeePass (open source, audited clients for all systems, including Windows, macOS, Linux, BSDs, Solaris, Android, iPhones; and no, all the clients I can think of either work entirely offline or can be configured to never connect out) and sync your database physically, with SCP on a cron job, or with Syncthing using a TLS certificate.

Alternatively, use a script, mobile app, or application that takes a site name and master password, generates a salt using the two, and then generates a password using all 3... Now you don't even need to save your passwords anywhere!

You could also write a shell script to encrypt/decrypt a json/etc. file using a secure technology of your choice (eg. something based on OpenPGP) and forego any fancy technology. Simplicity keeps the attack surface lower.

Or, you know, use a pen and paper, and rather than just writing down passwords, transmutate them using a shared secret present only in your brain, eg. always add a character to position X if Y is Z... Or, only write down hints, only to be used if you forget.

Password management doesn't have to be difficult, and "password manager" should not ever ever never ever mean giving your passwords to some company. Look at LastPass, bastards got compromised and they're somehow still in business and promise to keep your data safe. Not to mention, it's still not open source. Tsk.

9
1

Re: Advice: Use a password manager

I've 13+ years working in InfoSec for all manner of organisations.

In my experience there used to be a 50/50 split on InfoSec peeps who trust password managers of any stripe. Some of the most impressive people I've every worked with just point blank refuse to use password managers.

I can see both sides of the argument but in the last couple of years InfoSec people, in my experience, are trending towards password managers now...

Personally...I'll use my brain and continue to get pissed off every time I have to reset a password I've forgotten...

And yes I wear a tinfoil hat but only when I sleep.

4
0

First of all, about your bootnote El Reg, if you have to explain a joke...

Secondly, I don't own any underpants, but I have plenty of passwords. Make of that what you will.

Thirdly, I guess now we are a little closer to figuring out how the South Park underpants gnomes end up with profit.

3
6
Silver badge

Remind me...

... To never sit on a chair you sat on first. Going commando? Eww.

4
3
Silver badge

Re: Remind me...

It is my unfortunate observation ( albeit on a small sample size ) that people who don't wear underpants are the same group that don't wipe their arse.

4
3
(Written by Reg staff)

A significant proportion of our readers aren't Brits. I guarantee you someone would have moaned. You know these threads well enough.

11
0
Silver badge
Coat

In the north, pants are kecks.

4
1
Anonymous Coward

North of the north, they're pants.

4
0
Joke

@disgusted:

What do you know, according to your username you live south of M25

1
2
Silver badge

https://en.wikipedia.org/wiki/Disgusted_of_Tunbridge_Wells

I'm from't north.

2
1
Silver badge

> North of the north, they're pants.

And if you wear a kilt you don't need any passwords.

P.S. pants are what dogs do when it's hot.

8
0
FAIL

Clearly 'JOKE ALERT' doesn't mean anything these days.

Username checks out ...

4
0
Silver badge

It's "... from t'north.", as you'd know if you really were or understood the use of the apostrophe.

3
0
Silver badge

> In the north, pants are kecks.

What are kecks?

0
0
Silver badge

It's not, it's I'm going t' pub, where t' is an contraction of 'to the'

1
0
Silver badge

Trousers.

0
0
Silver badge

It's not, it's I'm going t' pub, where t' is an contraction of 'to the'

Yes, that's right, but frank ly is also correct, as you originally wrote I'm from't north.

1
0
Silver badge

I can't explain the logic behind that, but that's my interpretation of how it's pronounced.

0
0
Anonymous Coward

Post it notes in a locked draw, I challenge anyone to defeat this fool proof method over the internet.

11
0

On the top of my dizzy head after a looooong day explaining Visual Basic (eww) to fellow first-year-meds (translates as: as brainfucked as brainfucked could be):

Tiny infrared camera.

Pick the lock w/ a non-destructive object like a hairpin.

A secret camera to shoot the paper in transit to eye or while being returned back to the drawer.

1
1
Anonymous Coward

Did I mention the passwords are in braille?

4
0
Devil

"explaining Visual Basic (eww) to fellow first-year-meds (translates as: as brainfucked as brainfucked could be):"

Nah, for the ultimate brainfucking, teach them the programming language BrainFuck. Muahahahaha!

1
0
Bronze badge

> Post it notes in a locked draw, I challenge anyone to defeat this fool proof method over the internet.

You're using an internet-connected lock, correct? All the cool kids are doing it!

5
0
Silver badge

Re: Visual Basic

I use VBA a lot in Office and it gets me out of all sorts of pickles, there are many use cases, it gets an unfair press I think!

0
0
Anonymous Coward

I have a password manager.

It's called a notebook.

It doesn't require a battery, has no operating system, and is not connected to the internet.

It's a collection of folded pieces of paper, within a cardboard binding.

It's the latest thing, honestly.

9
1
Thumb Down

But if someone else gets hold of it, it's not exactly hard to break into....

4
3
Silver badge
Holmes

Ah, but he uses security through obscurity. He writes all his passwords on the last page.

8
1

Once physical access has been gained your screwed!

4
0

Page:

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Forums

Biting the hand that feeds IT © 1998–2018