July 30, 2016 at 6:07 pm
Comments posted to this topic are about the item Passwords Under Pressure
August 1, 2016 at 1:39 am
A lot of bars and restaurants use a fob for the till. It uniquely identifies the server and brings up their current context. This may be suitable for hospitals etc. We must also remember that there is not necessarily a one solution fits all. Perhaps passwords was the best generalised solution and that we no longer are accepting a generalised solution.
Gaz
-- Stop your grinnin' and drop your linen...they're everywhere!!!
August 1, 2016 at 2:26 am
The problem with passwords is that people can't remember them - look up most common helpdesk calls and forgotten passwords are always at the top of the list. Unless you use the same one for everything (!) it is nigh on impossible to remember them all, especially when there are so many different variations of "strong password" requirements.
Mobile phones seem to be heading in the right direction with fingerprint authentication: The user doesn't have to memorise anything or carry anything around with them, and authentication is instant.
August 1, 2016 at 4:06 am
Multi factor authentication over and above 2FA is becoming much more common too, with passphrase, shared secret, IP address, physical location, device type, browser type and version analysis all taking place at login to flag up suspicious activity and block access.
Ultimately the biggest impact on keeping systems secure would be far more efforts by authorities to catch and prosecute scammers and hackers, with very heavy prison sentences as a deterrent. There is a complete lack of international action to deal with these issues, mainly because many hackers are now state sponsored it seems.
August 1, 2016 at 6:28 am
TheFault (8/1/2016)
Ultimately the biggest impact on keeping systems secure would be far more efforts by authorities to catch and prosecute scammers and hackers, with very heavy prison sentences as a deterrent. There is a complete lack of international action to deal with these issues, mainly because many hackers are now state sponsored it seems.
Sadly the authorities always seem to be two or more steps behind and if they catch someone do little more than give them a slap on the wrist. Here in the UK we have a real problem with nuisance phone calls related to PPI, accident compensation, lifestyle, etc. I have been bothered for nearly a fortnight by calls from a lifestyle company. I cannot bar them as my smart phone knows they are giving out an invalid OLI (originating line identity) and requests to take me off their database seem to be ignored. The regulators response is that it is a police matter but you cannot report it to the police as there has been no criminal offence. There needs to be a joined up rethink on all these issues and they need to be taken much more seriously as their cost on people's lives is massive in both real and hidden terms!
August 1, 2016 at 6:53 am
We have started using finger print scanners at our work stations. I love it.
August 1, 2016 at 6:58 am
The problem *isn't* passwords--the problem is mutually exclusive problem domains.
We are asking our login/authentication/identification/etc procedures to do mutually exclusive things.
1. Be easy to use
2. Identify the user (remotely!)
3. Authenticate the user is who they say they are.
Worse, *anything* the user can do or provide will not guarantee they are who they say they are. Spoofing is guaranteed no matter what you do.
Therefore not only do you have to create a procedure that will, without fail, identify the user AND authenticate the user is who they say they are but you ALSO have to provide a method of *changing* the information should it be compromised.
This is where biometrics absolutely fail. You can't replace your fingerprints/retinal pattern/voiceprint, etc.
Worse, you can't store a person's fingerprints etc, what you actually store is a *digital copy* of those things. Which, of course, can fall prey to both replication (stealing) and replacement (tampering).
Passwords may be easy to compromise and hard to remember, BUT they're easy to change, rendering replication/replacement issues moot.
The problem with ID is the more certain it is the harder it is to change. So, paradoxically, the more certain the ID seems, the more impossible it is to change, and thus the more vulnerable it is to the replication/replacement issue.
Using your phone for 2FA is great--until the phone is stolen, lost, or (worst of all) *copied*. Then you're really and truly screwed.
A security fob has the same issues.
Biometrics? Somebody replaces your fingerprint data, boom. Instant lockout/impersonation (true for any biometric, really).
In short, passwords are the worst form of security--except for all the others.
August 1, 2016 at 8:11 am
Check out LastPass at https://lastpass.com/
Steve Gibson & Leo Laporte
July 10, 2010
Entire - https://www.youtube.com/watch?v=r9Q_anb7pwg (Starts around 2nd hour)
Mercifully, someone broke it into reasonable chunks:
Part 1 - https://www.youtube.com/watch?v=sLejIcOYk3o
Part 2 - https://www.youtube.com/watch?v=9n7n2P7tgbo
Part 3 - https://www.youtube.com/watch?v=1BinfKqnSNc
Part 4 - https://www.youtube.com/watch?v=1BinfKqnSNc
Part 5 - https://www.youtube.com/watch?v=lKsackRNTUM
Part 6 - https://www.youtube.com/watch?v=RPgNo6x6mjg
Part 7 - https://www.youtube.com/watch?v=eoMMGWKyibE
Premium is only $12 per year. And they have an enterprise version that should work for this sort of scenario.
One feature I like is that I can add a new site on my desktop and the new password shows up on my mobile phone.
Doug
August 1, 2016 at 8:30 am
ddodge2 (8/1/2016)
Check out LastPass at https://lastpass.com/Steve Gibson & Leo Laporte
July 10, 2010
Entire - https://www.youtube.com/watch?v=r9Q_anb7pwg (Starts around 2nd hour)
Mercifully, someone broke it into reasonable chunks:
Part 1 - https://www.youtube.com/watch?v=sLejIcOYk3o
Part 2 - https://www.youtube.com/watch?v=9n7n2P7tgbo
Part 3 - https://www.youtube.com/watch?v=1BinfKqnSNc
Part 4 - https://www.youtube.com/watch?v=1BinfKqnSNc
Part 5 - https://www.youtube.com/watch?v=lKsackRNTUM
Part 6 - https://www.youtube.com/watch?v=RPgNo6x6mjg
Part 7 - https://www.youtube.com/watch?v=eoMMGWKyibE
Premium is only $12 per year. And they have an enterprise version that should work for this sort of scenario.
One feature I like is that I can add a new site on my desktop and the new password shows up on my mobile phone.
Doug
Um, LastPass was shown to be incredibly insecure, wasn't it? Especially considering using any kind of password manager is begging to have your life entirely stolen, since if it's compromised it's game over...
And I believe LastPass stores data in the cloud, to make matters even worse.
August 1, 2016 at 8:42 am
Steve, I don't have an answer to your question. However, your article has opened my eyes to the fact that what I've experienced over the last couple of decades, isn't something that should work in all situations. I've never even thought of the possibility of someone needing to login very quickly, but your example makes sense. You can't have someone in an operating room waiting to go through a two factor authentication that also might include some Captcha verification. ("I'm sorry madam we let your husband die on the operating table, but we were busy trying to identify what the Captcha image was so we could log in...")
Bottom line, there isn't a one size fits all, when it comes to passwords and how they should be used to authenticate someone.
Kindest Regards, Rod Connect with me on LinkedIn.
August 1, 2016 at 8:45 am
If the wifi isn't secured with encryption, then it doesn't matter whether authentication is via password, fob, or biometrics. Hackers can steal the credentials or token in mid-flight.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
August 1, 2016 at 8:51 am
No, they are secure. They did experience a hack but given the nature and level of encryption nothing was compromised that I am aware of.
Suggest listening to the videos. Steve knows his stuff cold.
Regards,
Doug
August 1, 2016 at 8:51 am
LastPass had an issue, but not incredibly unsecure. The issue was patched quickly.
It's not game over if your password manager is compromised. It's no worse than if you have other compromises, plus you have a domain of places to actually understand how to go change passwords in which places.
August 1, 2016 at 9:04 am
Rod at work (8/1/2016)
Steve, I don't have an answer to your question. However, your article has opened my eyes to the fact that what I've experienced over the last couple of decades, isn't something that should work in all situations. I've never even thought of the possibility of someone needing to login very quickly, but your example makes sense. You can't have someone in an operating room waiting to go through a two factor authentication that also might include some Captcha verification. ("I'm sorry madam we let your husband die on the operating table, but we were busy trying to identify what the Captcha image was so we could log in...")Bottom line, there isn't a one size fits all, when it comes to passwords and how they should be used to authenticate someone.
I believe the key to security is not just "least required privilege" but also "least required connectivity". For a number of different reasons (security, dependability during a natural disaster, cost containment, etc.), equipment in a hospital operating room should be functional without relying on network connectivity. Hackers can't get at a system if there is no IP port, and we must ask ourselves how much value does that open network port really add to the process of treating the patient.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
August 1, 2016 at 9:21 am
I definitely prefer 2 factor authentication on my more sensitive applications.
Apart from that with the inherent risk of passwords that I can't avoid I try a bit of security through obscurity.
ie I don't tell people generally how I hold my passwords.
Last-pass sounds decent enough but they are a big fat juicy target.
Viewing 15 posts - 1 through 15 (of 44 total)
You must be logged in to reply to this topic. Login to reply