Let's Fix a Password Problem

  • Grant Fritchey

    SSC Guru

    Points: 395846

    Comments posted to this topic are about the item Let's Fix a Password Problem

    ----------------------------------------------------
    The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood...
    Theodore Roosevelt

    The Scary DBA
    Author of: SQL Server 2017 Query Performance Tuning, 5th Edition and SQL Server Execution Plans, 3rd Edition
    Product Evangelist for Red Gate Software

  • roger.plowman

    SSChampion

    Points: 10184

    Password managers are not a good idea. Sure, they let you use all the crazy random passwords per site, but they represent a single point of vulnerability. Hack them and it's not only lights out for you, but everyone else that uses them too.

    They've already been hacked, each and every one.

    Sure, there are no perfect solutions. 2FA isn't the panacea it was advertised to be, reuse of passwords is bad but understandable, and at least if you use two or three between bank, work, facebook (why are you even using facebook?) and Google etc. you at least stand a fighting chance of minimizing damage.

    But password managers not only centralize your passwords, they also centralize the sites you frequent, all wrapped up with a pretty little bow for whoever manages to hack either your PC (granting the master password) or the company themselves (the holy grail for hackers).

    Let me repeat myself. Every password management company has already been hacked at least once.

    Lose one password, or all of them. Your choice.

  • Grant Fritchey

    SSC Guru

    Points: 395846

    It's the choice of a compromise.

    Most people are suffering from what they're currently doing. Further, even completely independent sources like the ISE recommend using a password manager. Everything online has risks. The only way to be 100% safe is to follow the War Games model and refuse to play.

    I have 251 different accounts across email, shopping, clubs, source control, either I compromise that security and reuse passwords because I won't remember 251. I'm simply not smart enough. Or, I use something to manage them. I'm not prepared to build my own (and probably wouldn't make it secure enough), so I'm going buy over build.

    Am I perfectly comfy using the password manager? Nope. However, weighing the risks, I feel better this way, and based on a lot of research, it's the recommended approach.

    ----------------------------------------------------
    The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood...
    Theodore Roosevelt

    The Scary DBA
    Author of: SQL Server 2017 Query Performance Tuning, 5th Edition and SQL Server Execution Plans, 3rd Edition
    Product Evangelist for Red Gate Software

  • Dan Bragg

    Old Hand

    Points: 367

    Maybe this is the year we decide to stop requiring passwords from our users, removing one more barrier for _them_ to get all of their passwords under control?

    Gibson Research has now released, for free, their Secure, Quick, Reliable Login (or SQRL for short) https://www.grc.com/sqrl/sqrl.htm, which is a way to authenticate users without knowing anything about them. Then, after the relationship is established, you can choose to collect *minimum relevant* information to further the connection between company and customer. You can't lose what you don't collect, and your users have one fewer password to remember.

    But, he can explain it much better than I can. https://www.grc.com/sqrl/demo.htm

    • This reply was modified 4 days, 21 hours ago by  Dan Bragg.
    • This reply was modified 4 days, 21 hours ago by  Dan Bragg.
  • Grant Fritchey

    SSC Guru

    Points: 395846

    Sounds great. Let me know when that gets implemented. I'm in.

     

    ----------------------------------------------------
    The credit belongs to the man who is actually in the arena, whose face is marred by dust and sweat and blood...
    Theodore Roosevelt

    The Scary DBA
    Author of: SQL Server 2017 Query Performance Tuning, 5th Edition and SQL Server Execution Plans, 3rd Edition
    Product Evangelist for Red Gate Software

  • Eric M Russell

    SSC Guru

    Points: 125044

    Regarding MFA, this makes your account an order of magnitude more secure, but be vigilant that someone doesn't use social engineering to do a man-in-the-middle attack.

    For example, last year I got an unexpected Google verification code sent to me via text message. I know the text message itself was legitimately from Google, because it was contained in a message thread along with other other messages that I received in the past when logging in with a new device or changing my password.

    A few minutes later, I get a text message from a stranger asking if I was the guy selling a specific item on Craigslist. In fact, I was selling the item in question, and I had listed my email as contact - but not my phone number. The guy then replies back and asks me to please send him the verification code I must have received from Google - so he could verify my identity before sending payment or so he claimed. I replied back that I never received any  code from Google - so could he please request it again. He replies back and accuses me of trying to scam him.

    So, I replied back asking him to please call me directly at an alternate phone number - so we could discuss the matter. The phone number I sent him was actually for the cyber crime tip line of my city's police department. 🙂

    I never heard back after that. There is no telling what information he had to attempt this hack, or how many people may have fallen for it. After thinking about it, I realized that this guy may have already known my Google email and password, and was attempting to get past the new device activation feature. So, I reset my password at that point.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • x

    SSC-Insane

    Points: 23516

    roger.plowman wrote:

    Password managers are not a good idea. Sure, they let you use all the crazy random passwords per site, but they represent a single point of vulnerability. Hack them and it's not only lights out for you, but everyone else that uses them too.

    They've already been hacked, each and every one.

    Sure, there are no perfect solutions. 2FA isn't the panacea it was advertised to be, reuse of passwords is bad but understandable, and at least if you use two or three between bank, work, facebook (why are you even using facebook?) and Google etc. you at least stand a fighting chance of minimizing damage.

    But password managers not only centralize your passwords, they also centralize the sites you frequent, all wrapped up with a pretty little bow for whoever manages to hack either your PC (granting the master password) or the company themselves (the holy grail for hackers).

    Let me repeat myself. Every password management company has already been hacked at least once.

    Lose one password, or all of them. Your choice.

    Here's Grants guys having fun with 1password:

    https://blog.securityevaluators.com/recovering-the-master-password-from-a-locked-password-manager-1password-4-5d32cd569907

    There are really no easy answers with any of this, but Grant's editorial at least takes a swing at the bigger mistakes. 2FA is a mess when combined with sim swapping attacks. I was happy to read this week that at least some phone carriers are having a go at closing some holes.

     

Viewing 7 posts - 1 through 7 (of 7 total)

You must be logged in to reply to this topic. Login to reply