Passwords Under Pressure

  • Comments posted to this topic are about the item Passwords Under Pressure

  • A lot of bars and restaurants use a fob for the till. It uniquely identifies the server and brings up their current context. This may be suitable for hospitals etc. We must also remember that there is not necessarily a one solution fits all. Perhaps passwords was the best generalised solution and that we no longer are accepting a generalised solution.

    Gaz

    -- Stop your grinnin' and drop your linen...they're everywhere!!!

  • The problem with passwords is that people can't remember them - look up most common helpdesk calls and forgotten passwords are always at the top of the list. Unless you use the same one for everything (!) it is nigh on impossible to remember them all, especially when there are so many different variations of "strong password" requirements.

    Mobile phones seem to be heading in the right direction with fingerprint authentication: The user doesn't have to memorise anything or carry anything around with them, and authentication is instant.

  • Multi factor authentication over and above 2FA is becoming much more common too, with passphrase, shared secret, IP address, physical location, device type, browser type and version analysis all taking place at login to flag up suspicious activity and block access.

    Ultimately the biggest impact on keeping systems secure would be far more efforts by authorities to catch and prosecute scammers and hackers, with very heavy prison sentences as a deterrent. There is a complete lack of international action to deal with these issues, mainly because many hackers are now state sponsored it seems.

  • TheFault (8/1/2016)


    Ultimately the biggest impact on keeping systems secure would be far more efforts by authorities to catch and prosecute scammers and hackers, with very heavy prison sentences as a deterrent. There is a complete lack of international action to deal with these issues, mainly because many hackers are now state sponsored it seems.

    Sadly the authorities always seem to be two or more steps behind and if they catch someone do little more than give them a slap on the wrist. Here in the UK we have a real problem with nuisance phone calls related to PPI, accident compensation, lifestyle, etc. I have been bothered for nearly a fortnight by calls from a lifestyle company. I cannot bar them as my smart phone knows they are giving out an invalid OLI (originating line identity) and requests to take me off their database seem to be ignored. The regulators response is that it is a police matter but you cannot report it to the police as there has been no criminal offence. There needs to be a joined up rethink on all these issues and they need to be taken much more seriously as their cost on people's lives is massive in both real and hidden terms!

  • We have started using finger print scanners at our work stations. I love it.

  • The problem *isn't* passwords--the problem is mutually exclusive problem domains.

    We are asking our login/authentication/identification/etc procedures to do mutually exclusive things.

    1. Be easy to use

    2. Identify the user (remotely!)

    3. Authenticate the user is who they say they are.

    Worse, *anything* the user can do or provide will not guarantee they are who they say they are. Spoofing is guaranteed no matter what you do.

    Therefore not only do you have to create a procedure that will, without fail, identify the user AND authenticate the user is who they say they are but you ALSO have to provide a method of *changing* the information should it be compromised.

    This is where biometrics absolutely fail. You can't replace your fingerprints/retinal pattern/voiceprint, etc.

    Worse, you can't store a person's fingerprints etc, what you actually store is a *digital copy* of those things. Which, of course, can fall prey to both replication (stealing) and replacement (tampering).

    Passwords may be easy to compromise and hard to remember, BUT they're easy to change, rendering replication/replacement issues moot.

    The problem with ID is the more certain it is the harder it is to change. So, paradoxically, the more certain the ID seems, the more impossible it is to change, and thus the more vulnerable it is to the replication/replacement issue.

    Using your phone for 2FA is great--until the phone is stolen, lost, or (worst of all) *copied*. Then you're really and truly screwed.

    A security fob has the same issues.

    Biometrics? Somebody replaces your fingerprint data, boom. Instant lockout/impersonation (true for any biometric, really).

    In short, passwords are the worst form of security--except for all the others.

  • Check out LastPass at https://lastpass.com/

    Steve Gibson & Leo Laporte

    July 10, 2010

    Entire - https://www.youtube.com/watch?v=r9Q_anb7pwg (Starts around 2nd hour)

    Mercifully, someone broke it into reasonable chunks:

    Part 1 - https://www.youtube.com/watch?v=sLejIcOYk3o

    Part 2 - https://www.youtube.com/watch?v=9n7n2P7tgbo

    Part 3 - https://www.youtube.com/watch?v=1BinfKqnSNc

    Part 4 - https://www.youtube.com/watch?v=1BinfKqnSNc

    Part 5 - https://www.youtube.com/watch?v=lKsackRNTUM

    Part 6 - https://www.youtube.com/watch?v=RPgNo6x6mjg

    Part 7 - https://www.youtube.com/watch?v=eoMMGWKyibE

    Premium is only $12 per year. And they have an enterprise version that should work for this sort of scenario.

    One feature I like is that I can add a new site on my desktop and the new password shows up on my mobile phone.

    Doug

  • ddodge2 (8/1/2016)


    Check out LastPass at https://lastpass.com/

    Steve Gibson & Leo Laporte

    July 10, 2010

    Entire - https://www.youtube.com/watch?v=r9Q_anb7pwg (Starts around 2nd hour)

    Mercifully, someone broke it into reasonable chunks:

    Part 1 - https://www.youtube.com/watch?v=sLejIcOYk3o

    Part 2 - https://www.youtube.com/watch?v=9n7n2P7tgbo

    Part 3 - https://www.youtube.com/watch?v=1BinfKqnSNc

    Part 4 - https://www.youtube.com/watch?v=1BinfKqnSNc

    Part 5 - https://www.youtube.com/watch?v=lKsackRNTUM

    Part 6 - https://www.youtube.com/watch?v=RPgNo6x6mjg

    Part 7 - https://www.youtube.com/watch?v=eoMMGWKyibE

    Premium is only $12 per year. And they have an enterprise version that should work for this sort of scenario.

    One feature I like is that I can add a new site on my desktop and the new password shows up on my mobile phone.

    Doug

    Um, LastPass was shown to be incredibly insecure, wasn't it? Especially considering using any kind of password manager is begging to have your life entirely stolen, since if it's compromised it's game over...

    And I believe LastPass stores data in the cloud, to make matters even worse.

  • Steve, I don't have an answer to your question. However, your article has opened my eyes to the fact that what I've experienced over the last couple of decades, isn't something that should work in all situations. I've never even thought of the possibility of someone needing to login very quickly, but your example makes sense. You can't have someone in an operating room waiting to go through a two factor authentication that also might include some Captcha verification. ("I'm sorry madam we let your husband die on the operating table, but we were busy trying to identify what the Captcha image was so we could log in...")

    Bottom line, there isn't a one size fits all, when it comes to passwords and how they should be used to authenticate someone.

    Kindest Regards, Rod Connect with me on LinkedIn.

  • If the wifi isn't secured with encryption, then it doesn't matter whether authentication is via password, fob, or biometrics. Hackers can steal the credentials or token in mid-flight.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • No, they are secure. They did experience a hack but given the nature and level of encryption nothing was compromised that I am aware of.

    Suggest listening to the videos. Steve knows his stuff cold.

    Regards,

    Doug

  • LastPass had an issue, but not incredibly unsecure. The issue was patched quickly.

    It's not game over if your password manager is compromised. It's no worse than if you have other compromises, plus you have a domain of places to actually understand how to go change passwords in which places.

  • Rod at work (8/1/2016)


    Steve, I don't have an answer to your question. However, your article has opened my eyes to the fact that what I've experienced over the last couple of decades, isn't something that should work in all situations. I've never even thought of the possibility of someone needing to login very quickly, but your example makes sense. You can't have someone in an operating room waiting to go through a two factor authentication that also might include some Captcha verification. ("I'm sorry madam we let your husband die on the operating table, but we were busy trying to identify what the Captcha image was so we could log in...")

    Bottom line, there isn't a one size fits all, when it comes to passwords and how they should be used to authenticate someone.

    I believe the key to security is not just "least required privilege" but also "least required connectivity". For a number of different reasons (security, dependability during a natural disaster, cost containment, etc.), equipment in a hospital operating room should be functional without relying on network connectivity. Hackers can't get at a system if there is no IP port, and we must ask ourselves how much value does that open network port really add to the process of treating the patient.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • I definitely prefer 2 factor authentication on my more sensitive applications.

    Apart from that with the inherent risk of passwords that I can't avoid I try a bit of security through obscurity.

    ie I don't tell people generally how I hold my passwords.

    Last-pass sounds decent enough but they are a big fat juicy target.

    cloudydatablog.net

Viewing 15 posts - 1 through 15 (of 44 total)

You must be logged in to reply to this topic. Login to reply