back to article Tick-tock, tick-tock. Oh, that's just the sound of compromised logins waiting to ruin your day

It has never been easier to conduct a cyber attack. There now exists a range of off-the-shelf tools and services that do all the heavy lifting – you just need to pick an approach and tool you like best. There's ransomware-as-a-service with its "here's one I made earlier" code, search engines that show connected interfaces with …

  1. Anonymous Coward
    Anonymous Coward

    "First we can make our passwords as complex as we can, and change them regularly"... oh dear not this again...

    1. MiguelC Silver badge

      I was already worked up with that, but what about "it's so simple to put tools such as face recognition or fingerprint scanners on our devices"?

      That's when I stopped reading and started foaming from the mouth while screaming obscenities

    2. Anonymous Coward
      Anonymous Coward

      How many pen testers dine out on that one.

      It really is about time they gave that one up.

      Yes password need to be complex...and making users change them every 30 to 90 days just wastes postit notes.

      I got the domain admin password regularly at one place...because that's the only way it was remembered! Plus you had a counter that increased so after a cpuple of times I always guessed it.

      1. DougS Silver badge
        Mushroom

        Changing your passwords often is STUPID

        That encourages people to either use less complex passwords, use "complex1234" -> "complex2345" games (I know, because that's what I always use to get around stupid mandatory change policies) and/or write down their passwords.

        No way should you ever be required to change more often than once a year, and even that is questionable.

        1. BrownishMonstr

          Re: Changing your passwords often is STUPID

          The pain a monthly password change causes isn't worth it. I now have a script to update my password every 28 days, along with my local IIS password, and Windows Credentials so I don't waste time wondering why I can't debug, or trying to access our local NuGet repo.

        2. Robert Carnegie Silver badge

          A year is too long AND not long enough for a password

          The article makes the point that a password can be compromised, and not used... until someone in the department gets a Nobel Prize, or you migrate your application interface to the cloud, and a new opportunity is created.

          Up to a limit, passwords can be remembered by the user; my limit is 6 letters and 2 digits for several different passwords, making up little phrases to remind of the letters (the numbers usually come to mind when the letters do), and if possible not changing all of them at once. I may do better if I have to. As it is, I have one format that satisfies nearly everyone's rules. 69soddit! if necessary. ;-)

          But without the exercise of regularly remembering new passwords, you won't be able to do it when you do have to. It needs practice.

  2. Roger Greenwood

    Made me laugh . . .

    https://twitter.com/webster/status/1041164911223685120

  3. Chairman of the Bored Silver badge

    And we can avoid...

    ...giving the third and fourth degree to employees who make mistakes. We all screw up security sometimes.

    We need to hold people accountable but if you make penalties for even slight infractions truly Draconian, people just won't report problems. And problems do not get better with age.

    1. Robert Helpmann?? Silver badge
      Headmaster

      Re: And we can avoid...

      We need to hold people accountable but if you make penalties for even slight infractions truly Draconian, people just won't report problems.

      If we follow the original spirit of the term "Draconian", compliance will be achieved relatively quickly by the survivors. While your point about the harshness of the penalty needing to fit the infraction, it does help to take a cue from Draco and make sure that expected behavior is stated explicitly and prominently so there is no possible defense of ignorance. Training always needs to come first and only after should it be followed by enforcement.

    2. Anonymous Coward
      Anonymous Coward

      Re: And we can avoid...

      You should only CONSIDER going nuclear IF the news doesn't come from inside first.

      Same reason doctors are not fired when people die...you need to know what and why and not motivate staff to cover up.

  4. whitepines Silver badge

    Oh yes, we should deploy face recognition for logins because what could possibly happen while walking around with one's real, unchangeable face in public? Ditto for fingerprints, though there's a slight bit more work involved to get them.

    When will people learn that identification !== authentication? And that indentification sytems are oftentimes inherently spoofable (see face and fingerprint recognition again)?

    A smart card or similar dongle with PIN would provide oodles more real security than some spoofable biometric system with a weak password. Having to have a revokable card plus an active PIN at the same time is a pretty high bar to reach without people knowing about it.

  5. Richard Pennington 1

    Face recognition has another problem - or two.

    When I was a graduate student in the 1980s, my university department had a display of full-face photographs of its staff members, down to and including the cat which frequently visited the place. This means that anyone who wanted to spoof a face-recognition program (which were of course unknown at the time) could simply take a picture of the photo display and extract any desired picture for use in a fake ID.

    Also, there was another staff member - I shall call him Richard S - whose photo was very similar to mine (start with a beard and glasses). Just right to confuse a face-recognition system. In real life no-one could possibly confuse us, as I was 20 years younger and more than a foot (30+ cm) taller than him.

  6. Jack of Shadows Silver badge

    Secure? Ptah!

    Despite all that advice, generally good advice, you still have a problem training your machine-learning software. Insuring that 100% of the training is "normal operations" and looking at the traffic I see showing up here, that is most definitely not true. Classifying the data fed to the model is key to all ML/AI scenarios. That's why we have all those lovely datasets to play with lately. The traffic from your site, unless one has time to burn, isn't classified.

    If it's important, I have a couple of YubiKeys for the purpose of authentication. If it's for something connected to the Internet, I just use the fact, not supposition, that whatever device I'm looking at, it's compromised. Saves wear and tear. And, that's not what people want to hear. The Internet is supposed to be secure provided one follows the right security recipe.

  7. VinceH Silver badge
    Coat

    Optional

    I've got this cracked.

    When a user wants to log-in, they input their user name and password.

    Then there's the second factor authorisation - they get sent a code they must input.

    Then they enter digits x and y from their existing authorisation code.

    I am then sent an alert. I look them up on a old fashioned rolladex.

    I then ring them using their number on that rolladex and see if I recognise their voice.

    If I do, I give them another code to input into the next stage of the log-in.

    I manually check this, and if it matches I email them a new code.

    They must write that code on a piece of card, and email me back a selfie with them holding it in shot.

    If the code in the picture matches, and their face in the picture matches the one in the rolladex, they are finally granted entry.

    1. onefang Silver badge
      Coat

      Re: Optional

      You are correct, that is totally cracked. Must be some fine crack you get in your neck of the woods.

      1. VinceH Silver badge
        Coat

        Re: Optional

        Well, I was thinking of additional steps - but your reply makes me think they may be a step too far:

        I was considering have the user appoint their preferred T-shirt printing company. When I send them the code for the card, I would also send a checksum to the company; they would print it on a T-shirt and despatch that to the user to wear in the same picture. You've heard of 2FA - this would be 3PA (third party authentication).

        If they don't want to go to the cost of having T-shirts printed, another option would be to appoint a trusted third party who would write the checksum on the user's forehead using permanent marker.

        Options I considered but discarded include having the user have tattoos of any codes (or imagery to make it harder) - but I realised they'd run out of space.

        Another option would be biometric - fingerprints. In this case, though, I was thinking that they'd have to cut off their finger and use a same day courier to get it to me for verification. So I'd know it's not just someone using a gummy bear. The flaws in this were twofold, however: First of all it would limit the number of possible log-ins because they'd run out of fingers to type with (and worse, it would be fewer than ten, because as the number of fingers is reduced, their typing would diminish - long before they actually run out). The second issue is that I wouldn't be able to be certain if the fingers were cut off by themselves as part of the log-in, or by criminals trying to defeat my system.

        1. onefang Silver badge

          Re: Optional

          "First of all it would limit the number of possible log-ins because they'd run out of fingers to type with (and worse, it would be fewer than ten, because as the number of fingers is reduced, their typing would diminish - long before they actually run out)."

          Start with their toeprints, and work up to their fingerprints. Has the advantage of lasting longer, and they can continue to type through most of it. Hospitals collect footprints of new born babies as identification, so it's a proven method.

        2. onefang Silver badge

          Re: Optional

          "The second issue is that I wouldn't be able to be certain if the fingers were cut off by themselves as part of the log-in, or by criminals trying to defeat my system."

          It's early, I've not had brekky yet, or I would have thought of this on my first response.

          Have the users smear a one time code onto the a nearby wall in the photo with the blood from their freshly cut off finger / toe. Their will be two codes, one represents "Some criminal cut of my finger / toe.", the other "Everything is fine, send pizza / finger food." (depending on how hungry they are).

  8. Duncan Macdonald Silver badge
    FAIL

    Regular Training !!!

    In most organizations, trying to get the bosses to pay for one off training is almost impossible and regular training is beyond a pipe dream. Also have fun trying to give the bosses security training - most will not agree to attend and those that do will not listen (or be able to understand).

    Remember also most organizations try to use the cheapest workforce that they can get - do not expect the average minimum wage worker to understand security even if given a lot of training.

    Any real life security system needs to cope with low IQ users who have had minimal training.

  9. This post has been deleted by its author

  10. Anonymous Coward
    Anonymous Coward

    It also doesn't help when...

    the companies you entrust with your data go out of their way to reduce the security to better serve their advertisers, affiliates etc.

    I have an old email from the dial-up days that I was unable to change the password.

    It turns out that the reason the account page kept throwing errors when I had tried to change the compromised account was that my email provider removed the option for having uppercase letters and special characters. Only lowercase letters and numbers were now accepted for passwords.

    My password contained both uppercase and lowercase letters, numbers and special characters so an error would appear saying my original password.was incorrect when trying to change it.

    When I contacted the email provider the employees emailed me my password.

    Yes, all their employees had access to users passwords instead of only having the ability to reset the password as other email providers do.

    The login page to this email was over https but after entering in your credentials the web browser redirects to a a regular, unencrypted http site for the mail server and users emails, contact list was sent over plain text..

    The email company told me that their email server "does not support encryption" but refused to elaborate.

    The very next day after Google started flagging http sites the email server started serving over https.

    The date of the certificate shows this date..

    And although the email server now has an attached certificate, there are images and iframes from http servers being injected into it.

    Of course every email corospondence I received from the email provider was prefaced with the usual: "We take customers security and privacy very seriously..."

    1. Robert Carnegie Silver badge
      Joke

      Punctuation

      "We take customers security and privacy. Very seriously." FTFY

  11. Mayday Silver badge
    Paris Hilton

    Every time I see an article like this

    It reminds me to check if my battery horse staple is indeed correct.

    https://xkcd.com/936/

    1. onefang Silver badge

      Re: Every time I see an article like this

      That's become a staple of commentards on these articles. It's too late to lock that staple, er stable, the horse has already bolted, likely coz someone applied a battery to their sensitive bits.

      I'm not so sure any of the above is correct.

  12. Calgary IT Guy

    >>such as a user's access from new and exotic locations, for example.

    I'm searching for exactly this solution, and it doesn't seem to exist. I'd love to know when a mailbox in my organization is accessed from outside of our geographical area. Then I'd know the password has been compromised.

    1. Anonymous Coward
      Anonymous Coward

      "I'm searching for exactly this solution, and it doesn't seem to exist. I'd love to know when a mailbox in my organization is accessed from outside of our geographical area. Then I'd know the password has been compromised."

      No, you would not.

      You might just find someone who takes privacy and security seriously, and is going to the internet via a VPN.

  13. Daniel 18

    'Sticky' Fundamental Misconception

    " and because it's so simple to put tools such as face recognition or fingerprint scanners on our devices – why not use it internally too?"

    A lot of people think that biometrics can be used for authentication, but they are not really secure.

    At best, they are an alternate form of user name, not an adjunct to passwords.

    Revoking your face, fingerprints, or iris pattern is likely to be difficult and painful.

    1. whitepines Silver badge
      Devil

      Re: 'Sticky' Fundamental Misconception

      The latter option made me cringe. That's a mental image I don't want.

      You can keep your biometrics!!

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019