Passwords Under Pressure

  • Eric M Russell (8/1/2016)


    If the wifi isn't secured with encryption, then it doesn't matter whether authentication is via password, fob, or biometrics. Hackers can steal the credentials or token in mid-flight.

    Bingo! The end points are your weak spot. You can encrypt your data and your hard drive as needed.

  • Steve Jones - SSC Editor (8/1/2016)


    LastPass had an issue, but not incredibly unsecure. The issue was patched quickly.

    It's not game over if your password manager is compromised. It's no worse than if you have other compromises, plus you have a domain of places to actually understand how to go change passwords in which places.

    With LastPass' double AES encryption approach I'd doubt that part is their Achilles heel. But if you can get someone's master password then the game is pretty much over - but that's true really for any setup. This is where the notion of two (I'd suggest three) factor authentication earns its money.

    Fingerprints are good because that satisfy both what a person has (#2) and what a person is (#3)

    My original thought was that LastPass has a pretty solid enterprise-wide setup and they support dual-factor authentication. And their enterprise version has single sign-on. Most users aren't careful enough nor do they understand just how vulnerable they actually are and, for me, LastPass is another good solid tool in my "tool belt". We have a fiduciary responsibility to our clients and employers to worry about these things. 🙂

    Note: I do not work for these folks. I've been making a living in technology for almost 30 years now and rarely give an endorsement. LastPass is an exception as I, like some of the other good folks here, am paranoid about this stuff.

  • I would like the ability to turn off password masking, maybe not all the time, but with a key to hold down to see what's been typed. I've attempted to use more-secure "pass phrases" for my main work account, but I was foiled by typos. Apparently some of the pass phrases I chose were highly vulnerable to my own "typo patterns." I locked myself out several times. Each time I did that, I had to physically locate my manager and have him authorize an account unlock. Until I did that, I had to sit at my desk doing nothing in front of a locked computer, sometimes for hours. I've given up on pass phrases. Apparently, I can remember them, but I can't blind-type them.

  • We really could use read only access to our accounts with a separate user name and password.

    We could also use more visibility to the access logs, like a link to them after we log in.

    412-977-3526 call/text

  • I like the idea of using fingerprints for low-level security such as accessing my Smartphone, but I'm less enthusiastic about using it for high-security measures. If I worked in a bank I wouldn't want to have the vault keyed to my fingerprint -- I'd just as soon not have criminals go down the line of thought that the only thing they need to break into the vault is one of my appendages.:(

    Two-factor authentication isn't bad . . . until it fails, such as when trying to login from a location with no cell phone service. It can also become something worthy of modern-day Abbott and Costello routine such as when I charge something on my credit card using an app on my cell phone and the credit card company sends me a text on that same cell phone to have me confirm that the charge is authorized.:ermm:

    I use Lastpass premium and ultimately like it pretty well but I find that I still shy away from the really-strong passwords even though it will generate and store them for me without any fuss. The problem is when I create one for a program which doesn't work with Lastpass. If it can't interact with the program to supply the password, Lastpass will allow me to save it to the clipboard and paste it in but there are some programs which won't even allow pasting a password and I'm stuck trying to type in a 30-character, cryptic mess of characters into a blind textbox -- yeah, that never goes badly. Lastpass could also stand to be a little better refined -- I frequently find myself confused when I create and save a new password with Lastpass and then it immediately asks me if I want to save the password for that website. But without it, there would be little choice but to use some considerably-less secure option such as carrying around a list of my passwords.

    - Les

  • ddodge2 (8/1/2016)


    Steve Jones - SSC Editor (8/1/2016)


    LastPass had an issue, but not incredibly unsecure. The issue was patched quickly.

    It's not game over if your password manager is compromised. It's no worse than if you have other compromises, plus you have a domain of places to actually understand how to go change passwords in which places.

    With LastPass' double AES encryption approach I'd doubt that part is their Achilles heel. But if you can get someone's master password then the game is pretty much over - but that's true really for any setup. This is where the notion of two (I'd suggest three) factor authentication earns its money.

    One of the reasons I decided to go with Lastpass was because when they discovered the attempted hack they chose to shut everything down until they had determined the vulnerability, which caused a lot of controversy since it meant that anyone who didn't have a local cache of their passwords was effectively locked out of their accounts. While I understand why that is frustrating, I would rather that Lastpass was doing its best to shield my data rather than yielding to those who are more concerned about access.

    - Les

  • Lastpass is a little less upfront with freeloaders.

    There is no way to back up your password file if you don't pay them $12 a year.

    They should make that much more transparent than they do.

    412-977-3526 call/text

  • robert.sterbal 56890 (8/1/2016)


    Lastpass is a little less upfront with freeloaders.

    There is no way to back up your password file if you don't pay them $12 a year.

    They should make that much more transparent than they do.

    Well, when in this case a freeloader would be defined as unwilling to pay $12 per year I find myself struggling to find my sympathy stash. 😉

  • lnoland (8/1/2016)


    ddodge2 (8/1/2016)


    Steve Jones - SSC Editor (8/1/2016)


    LastPass had an issue, but not incredibly unsecure. The issue was patched quickly.

    It's not game over if your password manager is compromised. It's no worse than if you have other compromises, plus you have a domain of places to actually understand how to go change passwords in which places.

    With LastPass' double AES encryption approach I'd doubt that part is their Achilles heel. But if you can get someone's master password then the game is pretty much over - but that's true really for any setup. This is where the notion of two (I'd suggest three) factor authentication earns its money.

    One of the reasons I decided to go with Lastpass was because when they discovered the attempted hack they chose to shut everything down until they had determined the vulnerability, which caused a lot of controversy since it meant that anyone who didn't have a local cache of their passwords was effectively locked out of their accounts. While I understand why that is frustrating, I would rather that Lastpass was doing its best to shield my data rather than yielding to those who are more concerned about access.

    - Les

    Les,

    I noted you said "attempted hack" which I'd think is accurate. Here's the thing... Even if a hack would have been successful and all repositories had been downloaded I'd be willing to bet that notwithstanding those who would still be careless with passwords would have suffered loss. Why? Because LastPass double encrypts with AES and never stores the master password on their site. In other words they cannot help anyone who loses their master password.

    Now, one can save their passwords to a text file which, I am sure is even more secure 😀 but I digress.

    Steve Gibson, in the videos I noted, mentioned that any password > 10 characters pretty much makes them impossible to break - at least in a practical sense.

    Going back to the original blog - A corporation can set their folks up and share passwords but not allow them to be seen or changed - just used. That seemed to me to satisfy a few of the original pain point use cases which is why I mentioned LP. Not looking to get into a long discussion on encryption but I do take your point on the LP folks being thorough.

    Regards,

    Doug

  • Business practices matter, whether you have sympathy for them or not.

    Lastpass should be clearer to its potential customers than it is.

    The company has a good technology, but the business is being run without transparency.

    412-977-3526 call/text

  • lnoland (8/1/2016)


    I like the idea of using fingerprints for low-level security such as accessing my Smartphone, but I'm less enthusiastic about using it for high-security measures. If I worked in a bank I wouldn't want to have the vault keyed to my fingerprint -- I'd just as soon not have criminals go down the line of thought that the only thing they need to break into the vault is one of my appendages.:(

    Two-factor authentication isn't bad . . . until it fails, such as when trying to login from a location with no cell phone service. It can also become something worthy of modern-day Abbott and Costello routine such as when I charge something on my credit card using an app on my cell phone and the credit card company sends me a text on that same cell phone to have me confirm that the charge is authorized.:ermm:

    I use Lastpass premium and ultimately like it pretty well but I find that I still shy away from the really-strong passwords even though it will generate and store them for me without any fuss. The problem is when I create one for a program which doesn't work with Lastpass. If it can't interact with the program to supply the password, Lastpass will allow me to save it to the clipboard and paste it in but there are some programs which won't even allow pasting a password and I'm stuck trying to type in a 30-character, cryptic mess of characters into a blind textbox -- yeah, that never goes badly. Lastpass could also stand to be a little better refined -- I frequently find myself confused when I create and save a new password with Lastpass and then it immediately asks me if I want to save the password for that website. But without it, there would be little choice but to use some considerably-less secure option such as carrying around a list of my passwords.

    - Les

    Perhaps the devices can measure to see how warm the fingers are. :ermm:

  • ddodge2 (8/1/2016)


    lnoland (8/1/2016)


    I like the idea of using fingerprints for low-level security such as accessing my Smartphone, but I'm less enthusiastic about using it for high-security measures. If I worked in a bank I wouldn't want to have the vault keyed to my fingerprint -- I'd just as soon not have criminals go down the line of thought that the only thing they need to break into the vault is one of my appendages.:(

    Two-factor authentication isn't bad . . . until it fails, such as when trying to login from a location with no cell phone service. It can also become something worthy of modern-day Abbott and Costello routine such as when I charge something on my credit card using an app on my cell phone and the credit card company sends me a text on that same cell phone to have me confirm that the charge is authorized.:ermm:

    I use Lastpass premium and ultimately like it pretty well but I find that I still shy away from the really-strong passwords even though it will generate and store them for me without any fuss. The problem is when I create one for a program which doesn't work with Lastpass. If it can't interact with the program to supply the password, Lastpass will allow me to save it to the clipboard and paste it in but there are some programs which won't even allow pasting a password and I'm stuck trying to type in a 30-character, cryptic mess of characters into a blind textbox -- yeah, that never goes badly. Lastpass could also stand to be a little better refined -- I frequently find myself confused when I create and save a new password with Lastpass and then it immediately asks me if I want to save the password for that website. But without it, there would be little choice but to use some considerably-less secure option such as carrying around a list of my passwords.

    - Les

    Perhaps the devices can measure to see how warm the fingers are. :ermm:

    Or, they could add two-factor authentication . . . so long as the second factor isn't a retinal-scan.:hehe:

    - Les

  • Eric M Russell (8/1/2016)


    Rod at work (8/1/2016)


    Steve, I don't have an answer to your question. However, your article has opened my eyes to the fact that what I've experienced over the last couple of decades, isn't something that should work in all situations. I've never even thought of the possibility of someone needing to login very quickly, but your example makes sense. You can't have someone in an operating room waiting to go through a two factor authentication that also might include some Captcha verification. ("I'm sorry madam we let your husband die on the operating table, but we were busy trying to identify what the Captcha image was so we could log in...")

    Bottom line, there isn't a one size fits all, when it comes to passwords and how they should be used to authenticate someone.

    I believe the key to security is not just "least required privilege" but also "least required connectivity". For a number of different reasons (security, dependability during a natural disaster, cost containment, etc.), equipment in a hospital operating room should be functional without relying on network connectivity. Hackers can't get at a system if there is no IP port, and we must ask ourselves how much value does that open network port really add to the process of treating the patient.

    I agree with you in principle. In reality, it's not quite as simple. There are plenty of efforts to send data to other sites, to ensure a backup, or telemedicine. However, those are likely a small percentage of many cases. The bigger issues that people worry about is someone inside the hospital making changes, prescribing themselves opiates, etc.

    Certainly least connectivity should also be applied, to whatever extend possible.

  • Me I'm sanguine about it - this is the price we pay for security.

    Ironically I've come in this morning and my colleague has just been locked out of her computer because she didn't get her password in 3 guesses.

    She has a special word, which she has forgotten, and so needs a manager to authorize an issue of password re-set.

    I have been in that situation before

    cloudydatablog.net

  • My smartphone uses fingerprint technology. However it became an issue when I burnt and blistered my finger! There is another in but it is relatively insecure which negates, in my mind, the increased security of finger print technology.

    I am in favour of limiting connectivity with increased password length and complexity as more areas as accessible/changeable...

Viewing 15 posts - 16 through 30 (of 44 total)

You must be logged in to reply to this topic. Login to reply