"First we can make our passwords as complex as we can, and change them regularly"... oh dear not this again...
It has never been easier to conduct a cyber attack. There now exists a range of off-the-shelf tools and services that do all the heavy lifting – you just need to pick an approach and tool you like best. There's ransomware-as-a-service with its "here's one I made earlier" code, search engines that show connected interfaces with …
Monday 17th September 2018 18:10 GMT Anonymous Coward
How many pen testers dine out on that one.
It really is about time they gave that one up.
Yes password need to be complex...and making users change them every 30 to 90 days just wastes postit notes.
I got the domain admin password regularly at one place...because that's the only way it was remembered! Plus you had a counter that increased so after a cpuple of times I always guessed it.
Monday 17th September 2018 18:43 GMT DougS
Changing your passwords often is STUPID
That encourages people to either use less complex passwords, use "complex1234" -> "complex2345" games (I know, because that's what I always use to get around stupid mandatory change policies) and/or write down their passwords.
No way should you ever be required to change more often than once a year, and even that is questionable.
Monday 17th September 2018 20:57 GMT BrownishMonstr
Re: Changing your passwords often is STUPID
The pain a monthly password change causes isn't worth it. I now have a script to update my password every 28 days, along with my local IIS password, and Windows Credentials so I don't waste time wondering why I can't debug, or trying to access our local NuGet repo.
Tuesday 18th September 2018 17:05 GMT Robert Carnegie
A year is too long AND not long enough for a password
The article makes the point that a password can be compromised, and not used... until someone in the department gets a Nobel Prize, or you migrate your application interface to the cloud, and a new opportunity is created.
Up to a limit, passwords can be remembered by the user; my limit is 6 letters and 2 digits for several different passwords, making up little phrases to remind of the letters (the numbers usually come to mind when the letters do), and if possible not changing all of them at once. I may do better if I have to. As it is, I have one format that satisfies nearly everyone's rules. 69soddit! if necessary. ;-)
But without the exercise of regularly remembering new passwords, you won't be able to do it when you do have to. It needs practice.
Monday 17th September 2018 10:07 GMT Chairman of the Bored
And we can avoid...
...giving the third and fourth degree to employees who make mistakes. We all screw up security sometimes.
We need to hold people accountable but if you make penalties for even slight infractions truly Draconian, people just won't report problems. And problems do not get better with age.
Monday 17th September 2018 11:38 GMT Robert Helpmann??
Re: And we can avoid...
We need to hold people accountable but if you make penalties for even slight infractions truly Draconian, people just won't report problems.
If we follow the original spirit of the term "Draconian", compliance will be achieved relatively quickly by the survivors. While your point about the harshness of the penalty needing to fit the infraction, it does help to take a cue from Draco and make sure that expected behavior is stated explicitly and prominently so there is no possible defense of ignorance. Training always needs to come first and only after should it be followed by enforcement.
Monday 17th September 2018 10:18 GMT whitepines
Oh yes, we should deploy face recognition for logins because what could possibly happen while walking around with one's real, unchangeable face in public? Ditto for fingerprints, though there's a slight bit more work involved to get them.
When will people learn that identification !== authentication? And that indentification sytems are oftentimes inherently spoofable (see face and fingerprint recognition again)?
A smart card or similar dongle with PIN would provide oodles more real security than some spoofable biometric system with a weak password. Having to have a revokable card plus an active PIN at the same time is a pretty high bar to reach without people knowing about it.
Monday 17th September 2018 10:41 GMT Richard Pennington 1
Face recognition has another problem - or two.
When I was a graduate student in the 1980s, my university department had a display of full-face photographs of its staff members, down to and including the cat which frequently visited the place. This means that anyone who wanted to spoof a face-recognition program (which were of course unknown at the time) could simply take a picture of the photo display and extract any desired picture for use in a fake ID.
Also, there was another staff member - I shall call him Richard S - whose photo was very similar to mine (start with a beard and glasses). Just right to confuse a face-recognition system. In real life no-one could possibly confuse us, as I was 20 years younger and more than a foot (30+ cm) taller than him.
Monday 17th September 2018 11:08 GMT Jack of Shadows
Despite all that advice, generally good advice, you still have a problem training your machine-learning software. Insuring that 100% of the training is "normal operations" and looking at the traffic I see showing up here, that is most definitely not true. Classifying the data fed to the model is key to all ML/AI scenarios. That's why we have all those lovely datasets to play with lately. The traffic from your site, unless one has time to burn, isn't classified.
If it's important, I have a couple of YubiKeys for the purpose of authentication. If it's for something connected to the Internet, I just use the fact, not supposition, that whatever device I'm looking at, it's compromised. Saves wear and tear. And, that's not what people want to hear. The Internet is supposed to be secure provided one follows the right security recipe.
Monday 17th September 2018 12:33 GMT VinceH
I've got this cracked.
When a user wants to log-in, they input their user name and password.
Then there's the second factor authorisation - they get sent a code they must input.
Then they enter digits x and y from their existing authorisation code.
I am then sent an alert. I look them up on a old fashioned rolladex.
I then ring them using their number on that rolladex and see if I recognise their voice.
If I do, I give them another code to input into the next stage of the log-in.
I manually check this, and if it matches I email them a new code.
They must write that code on a piece of card, and email me back a selfie with them holding it in shot.
If the code in the picture matches, and their face in the picture matches the one in the rolladex, they are finally granted entry.
Monday 17th September 2018 13:15 GMT onefang
Monday 17th September 2018 14:26 GMT VinceH
Well, I was thinking of additional steps - but your reply makes me think they may be a step too far:
I was considering have the user appoint their preferred T-shirt printing company. When I send them the code for the card, I would also send a checksum to the company; they would print it on a T-shirt and despatch that to the user to wear in the same picture. You've heard of 2FA - this would be 3PA (third party authentication).
If they don't want to go to the cost of having T-shirts printed, another option would be to appoint a trusted third party who would write the checksum on the user's forehead using permanent marker.
Options I considered but discarded include having the user have tattoos of any codes (or imagery to make it harder) - but I realised they'd run out of space.
Another option would be biometric - fingerprints. In this case, though, I was thinking that they'd have to cut off their finger and use a same day courier to get it to me for verification. So I'd know it's not just someone using a gummy bear. The flaws in this were twofold, however: First of all it would limit the number of possible log-ins because they'd run out of fingers to type with (and worse, it would be fewer than ten, because as the number of fingers is reduced, their typing would diminish - long before they actually run out). The second issue is that I wouldn't be able to be certain if the fingers were cut off by themselves as part of the log-in, or by criminals trying to defeat my system.
Monday 17th September 2018 23:40 GMT onefang
"First of all it would limit the number of possible log-ins because they'd run out of fingers to type with (and worse, it would be fewer than ten, because as the number of fingers is reduced, their typing would diminish - long before they actually run out)."
Start with their toeprints, and work up to their fingerprints. Has the advantage of lasting longer, and they can continue to type through most of it. Hospitals collect footprints of new born babies as identification, so it's a proven method.
Monday 17th September 2018 23:45 GMT onefang
"The second issue is that I wouldn't be able to be certain if the fingers were cut off by themselves as part of the log-in, or by criminals trying to defeat my system."
It's early, I've not had brekky yet, or I would have thought of this on my first response.
Have the users smear a one time code onto the a nearby wall in the photo with the blood from their freshly cut off finger / toe. Their will be two codes, one represents "Some criminal cut of my finger / toe.", the other "Everything is fine, send pizza / finger food." (depending on how hungry they are).
Monday 17th September 2018 13:59 GMT Duncan Macdonald
Regular Training !!!
In most organizations, trying to get the bosses to pay for one off training is almost impossible and regular training is beyond a pipe dream. Also have fun trying to give the bosses security training - most will not agree to attend and those that do will not listen (or be able to understand).
Remember also most organizations try to use the cheapest workforce that they can get - do not expect the average minimum wage worker to understand security even if given a lot of training.
Any real life security system needs to cope with low IQ users who have had minimal training.
Monday 17th September 2018 19:54 GMT Anonymous Coward
It also doesn't help when...
the companies you entrust with your data go out of their way to reduce the security to better serve their advertisers, affiliates etc.
I have an old email from the dial-up days that I was unable to change the password.
It turns out that the reason the account page kept throwing errors when I had tried to change the compromised account was that my email provider removed the option for having uppercase letters and special characters. Only lowercase letters and numbers were now accepted for passwords.
My password contained both uppercase and lowercase letters, numbers and special characters so an error would appear saying my original password.was incorrect when trying to change it.
When I contacted the email provider the employees emailed me my password.
Yes, all their employees had access to users passwords instead of only having the ability to reset the password as other email providers do.
The login page to this email was over https but after entering in your credentials the web browser redirects to a a regular, unencrypted http site for the mail server and users emails, contact list was sent over plain text..
The email company told me that their email server "does not support encryption" but refused to elaborate.
The very next day after Google started flagging http sites the email server started serving over https.
The date of the certificate shows this date..
And although the email server now has an attached certificate, there are images and iframes from http servers being injected into it.
Of course every email corospondence I received from the email provider was prefaced with the usual: "We take customers security and privacy very seriously..."
Tuesday 18th September 2018 00:38 GMT Mayday
Tuesday 18th September 2018 15:40 GMT Calgary IT Guy
>>such as a user's access from new and exotic locations, for example.
I'm searching for exactly this solution, and it doesn't seem to exist. I'd love to know when a mailbox in my organization is accessed from outside of our geographical area. Then I'd know the password has been compromised.
Tuesday 18th September 2018 17:24 GMT Anonymous Coward
"I'm searching for exactly this solution, and it doesn't seem to exist. I'd love to know when a mailbox in my organization is accessed from outside of our geographical area. Then I'd know the password has been compromised."
No, you would not.
You might just find someone who takes privacy and security seriously, and is going to the internet via a VPN.
Tuesday 18th September 2018 17:31 GMT Daniel 18
'Sticky' Fundamental Misconception
" and because it's so simple to put tools such as face recognition or fingerprint scanners on our devices – why not use it internally too?"
A lot of people think that biometrics can be used for authentication, but they are not really secure.
At best, they are an alternate form of user name, not an adjunct to passwords.
Revoking your face, fingerprints, or iris pattern is likely to be difficult and painful.