May 29, 2019 at 12:00 am
Comments posted to this topic are about the item Long Live All Passwords
May 29, 2019 at 7:12 am
I've just had to reset my works password. That's a day of my life I won't get back, not made easier because the password change is asynchronous.
To be brutally honest it feels like security and authentication has been designed by a committee that never met. There are so many rough edges.
Websites that do not allow COPY/PASTE stop me using password managers. Working on trains or locations with poor WiFi connectivity means that cloud based password managers (favoured by corporate mandate, if you must use a password manager) are of limited use.
2FA such as Google Authenticator, Duo and OKTA do help.
May 29, 2019 at 1:02 pm
One employer that I worked for had an password expiration policy of 30 days. Why couldn't they use a policy of 31 days requiring once a month change?
May 29, 2019 at 1:10 pm
Finally, some sense!
May 29, 2019 at 2:27 pm
Oh boy, great topic. Where I work I've got, I think, 3 systems that require passwords. My Windows account, to log into the domain. My email (yes, they're separate, which I hate), and our HR related system (for pay, entering leave, etc.). What makes matters worse is each system has its own password expiration time period. Man, I hate that! Normally I've got some hot issue I'm working on, when suddenly one of them pops up a message demanding that I change it or loose the ability to enter it in X days. Normally I do them all at the same time, so I won't be bothered again for at least 4 weeks.
I previously saw that Microsoft was recommending no longer having a password expiration policy in place, before you mentioned it in today's article. Their reasons were spot on. I know a LOT of people who just something like PasswordN, where "N" is an integer, and just increment it by 1, whenever they have to change their password. I believe that a significant majority of people in every place I've worked, does this. (For the record, I don't.)
About 18 months ago I gave up trying to keep track of all of the passwords I used online, because there were too many places and most of the time I just duplicated the same password I used at least a dozen other places. I started using a password manager. And I've been much happier about that, ever since.
Kindest Regards, Rod Connect with me on LinkedIn.
May 29, 2019 at 4:55 pm
I just wonder why we are not farther along with biometrics.
May 29, 2019 at 7:01 pm
A biometric ID is basically a "secret" hash, just like a password. Hackers can leverage network sniffing, spoofed login page, or some other man in the middle exploit to collect your ID. You can change a password if needed, but how to change your biometric ID?
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
May 29, 2019 at 11:20 pm
Biometrics are great, until you realize a few things. An injury, like a paper cut to a finger, can cut you out of access. Work in some industries, your fingerprints are wearing away or gone. Eyes? Expensive. Face, not as reliable, especially as lighting conditions change. Someone does SQL injection, as Eric noted, and you have an issue. What about collissions? There are DNA collissions, what would you do?
It's a good thought, but lots of downside.
May 30, 2019 at 8:23 am
What surprises me is the amount of bad restrictions that on some applications for passwords. A bank I used to use only allowed up to 12 characters for a password and it could only include alphanumerical characters (not even a white space!). I like to ensure I mix up my passwords by using both upper and lower case, numbers and special characters; and I actually find it hard to think of a "secure" password when my options are so severely limited.
I probably wouldn't mind so much if it was on a website I use infrequently, and with low impact (like a fan site forum perhaps), but for a banking system, are you really limiting my password so harshly? Why do I have to compromise my security because your (the bank's) application doesn't support anything other than alphanumerical characters?
In regards to expiration, I do agree that it can be annoying for users, but I am also a little bit of a sceptic that it'll really help. At the office we tend to refer to any day after a public holiday as "International Password Reset Day", as (for some reason) if the staff have a 3 day weekend they inevitably manage to forget their password they remember with a problem if it was a 2 day weekend. if people can't remember their password after having a 3 day weekend, even if it's been their password for the best part of a month (and probably was last months with a 3 at the end instead of 2), then their password not expiring isn't giung to change anything.
Thom~
Excuse my typos and sometimes awful grammar. My fingers work faster than my brain does.
Larnu.uk
May 30, 2019 at 1:51 pm
While I don't see biometrics as a complete identification solution or a replacement for passwords in all situations, I still think it could be a component of a more complete multi-factor authentication solution. What's great about biometrics is that it can be potentially frictionless; meaning it doesn't necessarily require the user to remember a code or do anything special. For example, if ATM and POS machines could employ facial recognition to match customers with account numbers at the time a transaction occurs, then that would render stolen or cloned credit cards useless, and it doesn't place any additional burden on the customer. The customers don't even need to know that biometrics are being used as part of the authentication process, although for the sake of transparency and privacy the retail store and bank should post signs or an informational message on the screen notifying them.
If multiple people have the same facial biometric pattern, then that's not really a problem, because people already "share" the same 4 digit PIN code. What I mean is that biometrics could be leveraged not as a unique identifier but as a replacement for PIN codes.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
Viewing 10 posts - 1 through 9 (of 9 total)
You must be logged in to reply to this topic. Login to reply