SQL Clone
SQLServerCentral is supported by Redgate
 
Log in  ::  Register  ::  Not logged in
 
 
 


Is Security Catching On?


Is Security Catching On?

Author
Message
Steve Jones
Steve Jones
SSC Guru
SSC Guru (585K reputation)SSC Guru (585K reputation)SSC Guru (585K reputation)SSC Guru (585K reputation)SSC Guru (585K reputation)SSC Guru (585K reputation)SSC Guru (585K reputation)SSC Guru (585K reputation)

Group: Administrators
Points: 585020 Visits: 20897
Comments posted to this topic are about the item Is Security Catching On?

Follow me on Twitter: @way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com
roger.plowman
roger.plowman
SSCertifiable
SSCertifiable (8K reputation)SSCertifiable (8K reputation)SSCertifiable (8K reputation)SSCertifiable (8K reputation)SSCertifiable (8K reputation)SSCertifiable (8K reputation)SSCertifiable (8K reputation)SSCertifiable (8K reputation)

Group: General Forum Members
Points: 7964 Visits: 1930
Biometrics is a horrible security idea. It fails half of the critical requirements a security method needs. If it's compromised (and the number of breeches per year says it WILL be--quickly) you can't change it. Easy to change a password, not so easy to change your fingerprints or retinal patterns. At best it's only good for local authentication, and even then it shouldn't be trusted. (Look at the court rulings that say you can be forced to unlock a fingerprint device but you don't have to give up a password).

Password managers are another bad idea. Yes, you can use a randomly generated password for each site but A) what happens when your password manager is compromised (already happened once that I know of) or what happens when the password manager's data is lost in a hard drive crash and there's no backup.

And don't say "cloud backup", that just makes it easier to have all your passwords stolen in one go.

As bad as they are, passwords are the best solution we've ever managed to come up with that meet all the needs of authentication. They aren't perfect, but better than anything else we've tried.
ken.romero
ken.romero
SSC Eights!
SSC Eights! (891 reputation)SSC Eights! (891 reputation)SSC Eights! (891 reputation)SSC Eights! (891 reputation)SSC Eights! (891 reputation)SSC Eights! (891 reputation)SSC Eights! (891 reputation)SSC Eights! (891 reputation)

Group: General Forum Members
Points: 891 Visits: 144
People haven't changed to suddenly want security over convenience. The improvements in password managers and a lot of people having finger print scanner built into the device their logging into services on (mostly smart phones) has made good security less inconvenient, and thus something more people want. Password managers are still finicky about loading the right information for the site I'm on a lot of times and many apps I use consider the password to be more secure than the fingerprint, but it's still miles better than it was a year or two ago. My favorite method of logging in is using my Google account to log into other websites, and since I have two step authentication on my Google account it's also the most secure while being the least hassle.
Summer90
Summer90
One Orange Chip
One Orange Chip (28K reputation)One Orange Chip (28K reputation)One Orange Chip (28K reputation)One Orange Chip (28K reputation)One Orange Chip (28K reputation)One Orange Chip (28K reputation)One Orange Chip (28K reputation)One Orange Chip (28K reputation)

Group: General Forum Members
Points: 28077 Visits: 4172
People may want security over convenience, however, with tightening budgets, more and more complicated systems and a rush to just get it done more and more I just don't see security all of a sudden going to the top of a list of priorities. Even if it does, that doesn't mean it really will in the end.

One HAS to remember, code created by humans will always be able to be cracked by someone somewhere.
Dave Poole
Dave Poole
SSC Guru
SSC Guru (58K reputation)SSC Guru (58K reputation)SSC Guru (58K reputation)SSC Guru (58K reputation)SSC Guru (58K reputation)SSC Guru (58K reputation)SSC Guru (58K reputation)SSC Guru (58K reputation)

Group: General Forum Members
Points: 58722 Visits: 3951
I think people are beginning to realise just how much damage malicious activity can do. I think there is burgeoning awareness of what machine learning can reveal about individuals from relatively innocuous pieces of data.

LinkedIn Profile
www.simple-talk.com
jay-h
jay-h
SSCoach
SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)

Group: General Forum Members
Points: 15176 Visits: 2762
roger.plowman - Friday, March 9, 2018 6:35 AM
...Easy to change a password, not so easy to change your fingerprints or retinal patterns. At best it's only good for local authentication, and even then it shouldn't be trusted. ...

Password managers are another bad idea. Yes, you can use a randomly generated password for each site but A) what happens when your password manager is compromised (already happened once that I know of) or what happens when the password manager's data is lost in a hard drive crash and there's no backup.

And don't say "cloud backup", that just makes it easier to have all your passwords stolen in one go.

As bad as they are, passwords are the best solution we've ever managed to come up with that meet all the needs of authentication. They aren't perfect, but better than anything else we've tried.
At some point, biometrics have to be converted into some encodable value for transmission and/or comparison. One needn't actually replicate the fingerprint, just its code.

Agreed about the password manager thing... if someone steals your phone, or hacks your password file from your computer ... they have a static file that can be placed on a fast computer attacked for as long as necessary till it cracks. And THEN they have the keys to EVERYTHING.


...

-- FORTRAN manual for Xerox Computers --
Jeff Mlakar
Jeff Mlakar
UDP Broadcaster
UDP Broadcaster (1.4K reputation)UDP Broadcaster (1.4K reputation)UDP Broadcaster (1.4K reputation)UDP Broadcaster (1.4K reputation)UDP Broadcaster (1.4K reputation)UDP Broadcaster (1.4K reputation)UDP Broadcaster (1.4K reputation)UDP Broadcaster (1.4K reputation)

Group: General Forum Members
Points: 1444 Visits: 508
roger.plowman - Friday, March 9, 2018 6:35 AM
Biometrics is a horrible security idea. It fails half of the critical requirements a security method needs. If it's compromised (and the number of breeches per year says it WILL be--quickly) you can't change it. Easy to change a password, not so easy to change your fingerprints or retinal patterns. At best it's only good for local authentication, and even then it shouldn't be trusted. (Look at the court rulings that say you can be forced to unlock a fingerprint device but you don't have to give up a password).

Password managers are another bad idea. Yes, you can use a randomly generated password for each site but A) what happens when your password manager is compromised (already happened once that I know of) or what happens when the password manager's data is lost in a hard drive crash and there's no backup.

And don't say "cloud backup", that just makes it easier to have all your passwords stolen in one go.

As bad as they are, passwords are the best solution we've ever managed to come up with that meet all the needs of authentication. They aren't perfect, but better than anything else we've tried.

I don't agree. Password managers are so much better than people's inherent lousy passwords (and their reuse). To say that because there exists a small chance your PW MGR will be leaked so don't use it is "throwing the baby out with the bath water". If anyone asks if they should use a password manager the answer should be a resounding YES.

Likewise with biometrics. Similar to the cloud we make trade-offs as needed between convenience and security. I don't think the blanket statements about this are merited. I will agree with you about the coercion around biometrics and I don't like it either. Broaches a whole new topic of border crossings.

Jeff Mlakar
Jeff Mlakar
UDP Broadcaster
UDP Broadcaster (1.4K reputation)UDP Broadcaster (1.4K reputation)UDP Broadcaster (1.4K reputation)UDP Broadcaster (1.4K reputation)UDP Broadcaster (1.4K reputation)UDP Broadcaster (1.4K reputation)UDP Broadcaster (1.4K reputation)UDP Broadcaster (1.4K reputation)

Group: General Forum Members
Points: 1444 Visits: 508
I can only hope that people understand better and act on data security. There isn't much liability for leaks from government or corporations to deter the mindset they are in. The data collection stewards in the US do a bad job of it all around. Just look at all the breaches!

Additionally I hope this branches out into caring about our lost privacy but I'm a dreamer...
roger.plowman
roger.plowman
SSCertifiable
SSCertifiable (8K reputation)SSCertifiable (8K reputation)SSCertifiable (8K reputation)SSCertifiable (8K reputation)SSCertifiable (8K reputation)SSCertifiable (8K reputation)SSCertifiable (8K reputation)SSCertifiable (8K reputation)

Group: General Forum Members
Points: 7964 Visits: 1930
jmlakar 69347 - Friday, March 9, 2018 1:03 PM
roger.plowman - Friday, March 9, 2018 6:35 AM
Biometrics is a horrible security idea. It fails half of the critical requirements a security method needs. If it's compromised (and the number of breeches per year says it WILL be--quickly) you can't change it. Easy to change a password, not so easy to change your fingerprints or retinal patterns. At best it's only good for local authentication, and even then it shouldn't be trusted. (Look at the court rulings that say you can be forced to unlock a fingerprint device but you don't have to give up a password).

Password managers are another bad idea. Yes, you can use a randomly generated password for each site but A) what happens when your password manager is compromised (already happened once that I know of) or what happens when the password manager's data is lost in a hard drive crash and there's no backup.

And don't say "cloud backup", that just makes it easier to have all your passwords stolen in one go.

As bad as they are, passwords are the best solution we've ever managed to come up with that meet all the needs of authentication. They aren't perfect, but better than anything else we've tried.

I don't agree. Password managers are so much better than people's inherent lousy passwords (and their reuse). To say that because there exists a small chance your PW MGR will be leaked so don't use it is "throwing the baby out with the bath water". If anyone asks if they should use a password manager the answer should be a resounding YES.

Likewise with biometrics. Similar to the cloud we make trade-offs as needed between convenience and security. I don't think the blanket statements about this are merited. I will agree with you about the coercion around biometrics and I don't like it either. Broaches a whole new topic of border crossings.

Biometric data lacks the ability to change it, therefore once stolen it's compromised FOREVER. Not a good idea.

Um...it's not a small chance password managers are compromised either. Below are just a few of the ones we know about. How many more are being actively exploited?

http://www.zdnet.com/article/onelogin-hit-by-data-breached-exposing-sensitive-customer-data/
https://thehackernews.com/2017/02/password-manager-apps.html
https://betanews.com/2017/03/03/popular-android-password-managers-serious-vulnerabilities/
https://www.forbes.com/sites/katevinton/2015/06/15/password-manager-lastpass-hacked-exposing-encrypted-master-passwords/#14333cbd728f


jay-h
jay-h
SSCoach
SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)SSCoach (15K reputation)

Group: General Forum Members
Points: 15176 Visits: 2762
jmlakar 69347 - Friday, March 9, 2018 1:03 PM

I don't agree. Password managers are so much better than people's inherent lousy passwords (and their reuse). To say that because there exists a small chance your PW MGR will be leaked so don't use it is "throwing the baby out with the bath water". If anyone asks if they should use a password manager the answer should be a resounding YES.


The risk with password managers is that they exist as encrypted files, which can be decrypted with a rememberable passphrase. If someone gets to copy that file (not at all a rare thing) they can throw unlimited resources at it... and it's valuable enough to try that because it has so much of a person's security inside. By comparison, stealing your password from a corporate hack, assuming you don't re-use passwords, compromises only one thing.

Multiple attempts normally will shut down a network account, but a captured file has no such protection.


...

-- FORTRAN manual for Xerox Computers --
Go


Permissions

You can't post new topics.
You can't post topic replies.
You can't post new polls.
You can't post replies to polls.
You can't edit your own topics.
You can't delete your own topics.
You can't edit other topics.
You can't delete other topics.
You can't edit your own posts.
You can't edit other posts.
You can't delete your own posts.
You can't delete other posts.
You can't post events.
You can't edit your own events.
You can't edit other events.
You can't delete your own events.
You can't delete other events.
You can't send private messages.
You can't send emails.
You can read topics.
You can't vote in polls.
You can't upload attachments.
You can download attachments.
You can't post HTML code.
You can't edit HTML code.
You can't post IFCode.
You can't post JavaScript.
You can post emoticons.
You can't post or upload images.

Select a forum








































































































































































SQLServerCentral


Search