Is Security Catching On?

  • Steve Jones - SSC Editor

    SSC Guru

    Points: 715107

    Comments posted to this topic are about the item Is Security Catching On?

  • roger.plowman

    SSChampion

    Points: 10136

    Biometrics is a horrible security idea. It fails half of the critical requirements a security method needs. If it's compromised (and the number of breeches per year says it WILL be--quickly) you can't change it. Easy to change a password, not so easy to change your fingerprints or retinal patterns. At best it's only good for local authentication, and even then it shouldn't be trusted. (Look at the court rulings that say you can be forced to unlock a fingerprint device but you don't have to give up a password).

    Password managers are another bad idea. Yes, you can use a randomly generated password for each site but A) what happens when your password manager is compromised (already happened once that I know of) or what happens when the password manager's data is lost in a hard drive crash and there's no backup.

    And don't say "cloud backup", that just makes it easier to have all your passwords stolen in one go.

    As bad as they are, passwords are the best solution we've ever managed to come up with that meet all the needs of authentication. They aren't perfect, but better than anything else we've tried.

  • ken.romero

    SSC Eights!

    Points: 995

    People haven't changed to suddenly want security over convenience. The improvements in password managers and a lot of people having finger print scanner built into the device their logging into services on (mostly smart phones) has made good security less inconvenient, and thus something more people want. Password managers are still finicky about loading the right information for the site I'm on a lot of times and many apps I use consider the password to be more secure than the fingerprint, but it's still miles better than it was a year or two ago. My favorite method of logging in is using my Google account to log into other websites, and since I have two step authentication on my Google account it's also the most secure while being the least hassle.

  • Summer90

    SSC-Dedicated

    Points: 32820

    People may want security over convenience, however, with tightening budgets, more and more complicated systems and a rush to just get it done more and more I just don't see security all of a sudden going to the top of a list of priorities.  Even if it does, that doesn't mean it really will in the end.

    One HAS to remember, code created by humans will always be able to be cracked by someone somewhere.

  • David.Poole

    SSC Guru

    Points: 75109

    I think people are beginning to realise just how much damage malicious activity can do.   I think there is burgeoning awareness of what machine learning can reveal about individuals from relatively innocuous pieces of data.

  • jay-h

    SSCoach

    Points: 18808

    roger.plowman - Friday, March 9, 2018 6:35 AM

    ...Easy to change a password, not so easy to change your fingerprints or retinal patterns. At best it's only good for local authentication, and even then it shouldn't be trusted. ...

    Password managers are another bad idea. Yes, you can use a randomly generated password for each site but A) what happens when your password manager is compromised (already happened once that I know of) or what happens when the password manager's data is lost in a hard drive crash and there's no backup.

    And don't say "cloud backup", that just makes it easier to have all your passwords stolen in one go.

    As bad as they are, passwords are the best solution we've ever managed to come up with that meet all the needs of authentication. They aren't perfect, but better than anything else we've tried.

    At some point, biometrics have to be converted into some encodable value for transmission and/or comparison. One needn't actually replicate the fingerprint, just its code.

    Agreed about the password manager thing... if someone steals your phone, or hacks your password file from your computer ... they have a static file that can be placed on a fast computer attacked for as long as necessary till it cracks. And THEN they have the keys to EVERYTHING.

    ...

    -- FORTRAN manual for Xerox Computers --

  • Jeff Mlakar

    SSCrazy

    Points: 2879

    roger.plowman - Friday, March 9, 2018 6:35 AM

    Biometrics is a horrible security idea. It fails half of the critical requirements a security method needs. If it's compromised (and the number of breeches per year says it WILL be--quickly) you can't change it. Easy to change a password, not so easy to change your fingerprints or retinal patterns. At best it's only good for local authentication, and even then it shouldn't be trusted. (Look at the court rulings that say you can be forced to unlock a fingerprint device but you don't have to give up a password).

    Password managers are another bad idea. Yes, you can use a randomly generated password for each site but A) what happens when your password manager is compromised (already happened once that I know of) or what happens when the password manager's data is lost in a hard drive crash and there's no backup.

    And don't say "cloud backup", that just makes it easier to have all your passwords stolen in one go.

    As bad as they are, passwords are the best solution we've ever managed to come up with that meet all the needs of authentication. They aren't perfect, but better than anything else we've tried.

    I don't agree. Password managers are so much better than people's inherent lousy passwords (and their reuse). To say that because there exists a small chance your PW MGR will be leaked so don't use it is "throwing the baby out with the bath water". If anyone asks if they should use a password manager the answer should be a resounding YES.

    Likewise with biometrics. Similar to the cloud we make trade-offs as needed between convenience and security. I don't think the blanket statements about this are merited. I will agree with you about the coercion around biometrics and I don't like it either. Broaches a whole new topic of border crossings.

  • Jeff Mlakar

    SSCrazy

    Points: 2879

    I can only hope that people understand better and act on data security. There isn't much liability for leaks from government or corporations to deter the mindset they are in. The data collection stewards in the US do a bad job of it all around. Just look at all the breaches!

    Additionally I hope this branches out into caring about our lost privacy but I'm a dreamer...

  • roger.plowman

    SSChampion

    Points: 10136

    jmlakar 69347 - Friday, March 9, 2018 1:03 PM

    roger.plowman - Friday, March 9, 2018 6:35 AM

    Biometrics is a horrible security idea. It fails half of the critical requirements a security method needs. If it's compromised (and the number of breeches per year says it WILL be--quickly) you can't change it. Easy to change a password, not so easy to change your fingerprints or retinal patterns. At best it's only good for local authentication, and even then it shouldn't be trusted. (Look at the court rulings that say you can be forced to unlock a fingerprint device but you don't have to give up a password).

    Password managers are another bad idea. Yes, you can use a randomly generated password for each site but A) what happens when your password manager is compromised (already happened once that I know of) or what happens when the password manager's data is lost in a hard drive crash and there's no backup.

    And don't say "cloud backup", that just makes it easier to have all your passwords stolen in one go.

    As bad as they are, passwords are the best solution we've ever managed to come up with that meet all the needs of authentication. They aren't perfect, but better than anything else we've tried.

    I don't agree. Password managers are so much better than people's inherent lousy passwords (and their reuse). To say that because there exists a small chance your PW MGR will be leaked so don't use it is "throwing the baby out with the bath water". If anyone asks if they should use a password manager the answer should be a resounding YES.

    Likewise with biometrics. Similar to the cloud we make trade-offs as needed between convenience and security. I don't think the blanket statements about this are merited. I will agree with you about the coercion around biometrics and I don't like it either. Broaches a whole new topic of border crossings.

    Biometric data lacks the ability to change it, therefore once stolen it's compromised FOREVER. Not a good idea.

    Um...it's not a small chance password managers are compromised either. Below are just a few of the ones we know about. How many more are being actively exploited?

    http://www.zdnet.com/article/onelogin-hit-by-data-breached-exposing-sensitive-customer-data/
    https://thehackernews.com/2017/02/password-manager-apps.html
    https://betanews.com/2017/03/03/popular-android-password-managers-serious-vulnerabilities/
    https://www.forbes.com/sites/katevinton/2015/06/15/password-manager-lastpass-hacked-exposing-encrypted-master-passwords/#14333cbd728f

  • jay-h

    SSCoach

    Points: 18808

    jmlakar 69347 - Friday, March 9, 2018 1:03 PM

    I don't agree. Password managers are so much better than people's inherent lousy passwords (and their reuse). To say that because there exists a small chance your PW MGR will be leaked so don't use it is "throwing the baby out with the bath water". If anyone asks if they should use a password manager the answer should be a resounding YES.

    The risk with password managers is that they exist as encrypted files, which can be decrypted with a rememberable passphrase. If someone gets to copy that file (not at all a rare thing) they can throw unlimited resources at it... and it's valuable enough to try that because it has so much of a person's security inside. By comparison, stealing your password from a corporate hack, assuming you don't re-use passwords, compromises only one thing. 

    Multiple attempts normally will shut down a network account, but a captured file has no such protection.

    ...

    -- FORTRAN manual for Xerox Computers --

  • Matt Miller (4)

    SSC Guru

    Points: 124173

    roger.plowman - Friday, March 9, 2018 1:15 PM

    jmlakar 69347 - Friday, March 9, 2018 1:03 PM

    roger.plowman - Friday, March 9, 2018 6:35 AM

    Biometrics is a horrible security idea. It fails half of the critical requirements a security method needs. If it's compromised (and the number of breeches per year says it WILL be--quickly) you can't change it. Easy to change a password, not so easy to change your fingerprints or retinal patterns. At best it's only good for local authentication, and even then it shouldn't be trusted. (Look at the court rulings that say you can be forced to unlock a fingerprint device but you don't have to give up a password).

    Password managers are another bad idea. Yes, you can use a randomly generated password for each site but A) what happens when your password manager is compromised (already happened once that I know of) or what happens when the password manager's data is lost in a hard drive crash and there's no backup.

    And don't say "cloud backup", that just makes it easier to have all your passwords stolen in one go.

    As bad as they are, passwords are the best solution we've ever managed to come up with that meet all the needs of authentication. They aren't perfect, but better than anything else we've tried.

    I don't agree. Password managers are so much better than people's inherent lousy passwords (and their reuse). To say that because there exists a small chance your PW MGR will be leaked so don't use it is "throwing the baby out with the bath water". If anyone asks if they should use a password manager the answer should be a resounding YES.

    Likewise with biometrics. Similar to the cloud we make trade-offs as needed between convenience and security. I don't think the blanket statements about this are merited. I will agree with you about the coercion around biometrics and I don't like it either. Broaches a whole new topic of border crossings.

    Biometric data lacks the ability to change it, therefore once stolen it's compromised FOREVER. Not a good idea.

    Um...it's not a small chance password managers are compromised either. Below are just a few of the ones we know about. How many more are being actively exploited?

    http://www.zdnet.com/article/onelogin-hit-by-data-breached-exposing-sensitive-customer-data/
    https://thehackernews.com/2017/02/password-manager-apps.html
    https://betanews.com/2017/03/03/popular-android-password-managers-serious-vulnerabilities/
    https://www.forbes.com/sites/katevinton/2015/06/15/password-manager-lastpass-hacked-exposing-encrypted-master-passwords/#14333cbd728f

    Single-factor authentication of any kind is too vulnerable these days to be viable for much.  Biometrics at best is a convenience thing, but doesn't add a thing to actual security (as was mentioned before at its core it's just a "hash key" of some kind based on patterns detected within your iris or your fingerprint).  So it's a long integer that doesn't change, so it can be cracked.

    Those MFA token systems (with highly volatile tokens) are about the only thing viable now.  Even then we will eventually have to ensure that the token servers aren't easy to anticipate or crack or that's also a smokescreen.

    ----------------------------------------------------------------------------------
    Your lack of planning does not constitute an emergency on my part...unless you're my manager...or a director and above...or a really loud-spoken end-user..All right - what was my emergency again?

  • Jeff Mlakar

    SSCrazy

    Points: 2879

    jay-h - Friday, March 9, 2018 1:28 PM

    jmlakar 69347 - Friday, March 9, 2018 1:03 PM

    I don't agree. Password managers are so much better than people's inherent lousy passwords (and their reuse). To say that because there exists a small chance your PW MGR will be leaked so don't use it is "throwing the baby out with the bath water". If anyone asks if they should use a password manager the answer should be a resounding YES.

    The risk with password managers is that they exist as encrypted files, which can be decrypted with a rememberable passphrase. If someone gets to copy that file (not at all a rare thing) they can throw unlimited resources at it... and it's valuable enough to try that because it has so much of a person's security inside. By comparison, stealing your password from a corporate hack, assuming you don't re-use passwords, compromises only one thing. 

    Multiple attempts normally will shut down a network account, but a captured file has no such protection.

    I understand the risk - nothing is fool proof. However the notion that people should stop using password managers and go back to the wonky methods they use is preposterous. Have you seen the passwords people use? Security is about trade-offs and choices. PW MGRS are a superior option for most people's general usage.

  • Jeff Mlakar

    SSCrazy

    Points: 2879

    roger.plowman - Friday, March 9, 2018 1:15 PM

    jmlakar 69347 - Friday, March 9, 2018 1:03 PM

    roger.plowman - Friday, March 9, 2018 6:35 AM

    Biometrics is a horrible security idea. It fails half of the critical requirements a security method needs. If it's compromised (and the number of breeches per year says it WILL be--quickly) you can't change it. Easy to change a password, not so easy to change your fingerprints or retinal patterns. At best it's only good for local authentication, and even then it shouldn't be trusted. (Look at the court rulings that say you can be forced to unlock a fingerprint device but you don't have to give up a password).

    Password managers are another bad idea. Yes, you can use a randomly generated password for each site but A) what happens when your password manager is compromised (already happened once that I know of) or what happens when the password manager's data is lost in a hard drive crash and there's no backup.

    And don't say "cloud backup", that just makes it easier to have all your passwords stolen in one go.

    As bad as they are, passwords are the best solution we've ever managed to come up with that meet all the needs of authentication. They aren't perfect, but better than anything else we've tried.

    I don't agree. Password managers are so much better than people's inherent lousy passwords (and their reuse). To say that because there exists a small chance your PW MGR will be leaked so don't use it is "throwing the baby out with the bath water". If anyone asks if they should use a password manager the answer should be a resounding YES.

    Likewise with biometrics. Similar to the cloud we make trade-offs as needed between convenience and security. I don't think the blanket statements about this are merited. I will agree with you about the coercion around biometrics and I don't like it either. Broaches a whole new topic of border crossings.

    Biometric data lacks the ability to change it, therefore once stolen it's compromised FOREVER. Not a good idea.

    Um...it's not a small chance password managers are compromised either. Below are just a few of the ones we know about. How many more are being actively exploited?

    http://www.zdnet.com/article/onelogin-hit-by-data-breached-exposing-sensitive-customer-data/
    https://thehackernews.com/2017/02/password-manager-apps.html
    https://betanews.com/2017/03/03/popular-android-password-managers-serious-vulnerabilities/
    https://www.forbes.com/sites/katevinton/2015/06/15/password-manager-lastpass-hacked-exposing-encrypted-master-passwords/#14333cbd728f

    I hear you. Do you think it is a better idea to write a resusable crappy password on a sticky note under your desk or to use a password manager to generate a proper pwd? Because that's what most people do. I exaggerate to prove a point - yes both have flaws but one is clearly superior to the other.

  • Jeff Mlakar

    SSCrazy

    Points: 2879

    jay-h - Friday, March 9, 2018 1:28 PM

    jmlakar 69347 - Friday, March 9, 2018 1:03 PM

    I don't agree. Password managers are so much better than people's inherent lousy passwords (and their reuse). To say that because there exists a small chance your PW MGR will be leaked so don't use it is "throwing the baby out with the bath water". If anyone asks if they should use a password manager the answer should be a resounding YES.

    The risk with password managers is that they exist as encrypted files, which can be decrypted with a rememberable passphrase. If someone gets to copy that file (not at all a rare thing) they can throw unlimited resources at it... and it's valuable enough to try that because it has so much of a person's security inside. By comparison, stealing your password from a corporate hack, assuming you don't re-use passwords, compromises only one thing. 

    Multiple attempts normally will shut down a network account, but a captured file has no such protection.

    What's the entropy on a 28 character passphrase with upper / lower / numeric / and maybe a special character? Not gonna happen. So what's your alternative? Password managers are a good choice for most people and their usage.

  • jay-h

    SSCoach

    Points: 18808

    jmlakar 69347 - Friday, March 9, 2018 1:41 PM

    What's the entropy on a 28 character passphrase with upper / lower / numeric / and maybe a special character? Not gonna happen. So what's your alternative? Password managers are a good choice for most people and their usage.

    Few people are going to try that unless really motivated.

    BTW, password crackers are now stocked with the text entire Bible, works of Shakespeare and a host of other literature.

    ...

    -- FORTRAN manual for Xerox Computers --

Viewing 15 posts - 1 through 15 (of 21 total)

You must be logged in to reply to this topic. Login to reply