Managing Passwords

  • Steve Jones - SSC Editor

    SSC Guru

    Points: 714311

    Comments posted to this topic are about the item Managing Passwords

  • phonetictalk

    Hall of Fame

    Points: 3572

    Thanks for spreading the word about Troy Hunt's excellent set of recommendations to a wider audience. The more people who read it, the better. I get so frustrated when a service requires that I shorten my password, or when it requires special characters, and then tells me that the special characters I'm using are not acceptable, and I must pick from a more limited selection.

    Leonard
    Madison, WI

  • Eric M Russell

    SSC Guru

    Points: 124951

    We use a product called SecretServer to manage our service account passwords, certificates, etc. across the enterprise. It also has a web service based API for integration with PowerShell scripts and CI tools.

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • Ed Wagner

    SSC Guru

    Points: 286950

    I use a password manager to keep track of my passwords.  There's no API or anything else.  Because I have so many different accounts, I try to keep management of them simple.  I tried to keep track of them in my head, but I think it reached critical mass and I started forgetting them, especially the ones I don't use frequently.

    It seems that no matter what protection scheme people come up with, the hackers are already working on it.  Even Apple's biometric lock (touted as the greatest thing since sliced bread) was broken in all of 8 days.  2FA is a good approach for now, but also comes with a convenience factor.

    Authentication has always been, and will probably continue to be, a big challenge.

  • TomThomson

    SSC Guru

    Points: 104707

    Nice to see Troy Hunt's paper, but it's disappointing that such a paper is still needed.   What he is saying has been well understood for more than quarter of a century, nonsense like "don't keep passwords in a file, even with a seriously safe pass phrase" has been derided since before the WWW existed.   There were already hordes of people advocating the elimination of all rules requiring frequent password changes and all rules based on unproven theories about what passwords could contain (as opposed to the practical - in the early 1980s - rule that if the monthly check using the most recent version of whatever cracker was in vogue broke a password that password wasn't aceptable) back in the days when the passwords were for connections within the enterprise, not internet connections.  The infamous "password must be between 6 and 10 characters long" game was regarded as insanity as soon as internet commerce began to happen.

    The sad thing is that so many of the big service providers STILL fail to understand this - for example BT still makes it as difficult as possible to change one's email password, including a rule that prevents pasting the new password, despite having been advised by very many competent people that this is utterly stupid and reduces security and having had the NCSC adivce on this topic pointed out to them by hundreds of people.  (As BT uses Yahoo as the email provider for a large number of their cutomers, thoe ciustomers are privileged compared to others - they have a pretty civilised was of changing email passwords - I guess BT haven't realised that being more security-stupid for email than Yahoo is makes it clear that they are incompetent).  I imagine that there is plenty of similar stupidity about security on the western side of the pond, not just here.

    Tom

  • Eric M Russell

    SSC Guru

    Points: 124951

    Think about it for a moment. From what I've seen, the root of most massive high profile data breaches are not the result of result of cracked or weak passwords, but rather networks, websites, or end points left completely unsecured. Two factor authentication, biometrics, and other more advanced methods of authentication do nothing to mitigate the following:

    - Unencrypted point-of-sale wifi networks that broadcast credit card information as clear text
    - Cloud databases loaded with production data for development purposes and left open to the public
    - SQL injection
    - Lost or stolen backups
    -  Trojan horses and phishing schemes targeting corporate PCs without firewall or anti-virus protection
    - Whistleblowers, anarchist, corporate spies and other trusted insiders who abuse their elevated privilege by leaking data

    "Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho

  • Steve Jones - SSC Editor

    SSC Guru

    Points: 714311

    I agree in many cases, but there are certainly issues where someone gets a breach from company X and then cracks weak passwords used elsewhere. Plenty of secondary attacks do some when someone uses the same password in multiple places.

    We do need better security overall, and an avoidance of the silly "development systems left unsecured".

  • TomThomson

    SSC Guru

    Points: 104707

    Eric M Russell - Thursday, August 3, 2017 8:46 AM

    Think about it for a moment. From what I've seen, the root of most massive high profile data breaches are not the result of result of cracked or weak passwords, but rather networks, websites, or end points left completely unsecured. Two factor authentication, biometrics, and other more advanced methods of authentication do nothing to mitigate the following:

    - Unencrypted point-of-sale wifi networks that broadcast credit card information as clear text
    - Cloud databases loaded with production data for development purposes and left open to the public
    - SQL injection
    - Lost or stolen backups
    -  Trojan horses and phishing schemes targeting corporate PCs without firewall or anti-virus protection
    - Whistleblowers, anarchist, corporate spies and other trusted insiders who abuse their elevated privilege by leaking data

    Your first three problems indicate incompetence on the part of whoever designed, built, and tested the system. the fourth, lost or stolen backups, won't reveal any passwords as long as paswords are not stored (ony a hash is stored, and perhaps a seed for the hash is stored encrypted) and people are using decent passwords (which entails the users using password managers of some sort and the website permiting paste into password fields, in accordance with guidance given by NCSC and NIST);  and if it reveals confidential informtion that's because site either doesn't bother to encrypt data that should be properly secured or doesn't seperate the backups of the data from backups of the keys (or manages to lose both together - which is unlikely if the two backups are properly separated, idealy held on different sites).  The fifth is back to corporate incompetence - what else could cause  corporate PCs without firewalls and antivirus?  But there is something very like the fifth, which is attacks not on corporate PCs but on a user's PC - that is a genuine concern, but it doesn't result in a massive high-profile data breach unless that user information on his PC that gives access to a massive quantity of highly sensitive data on his PC.
    The sixth is a genuine problem that can't really be avoided, I don't think there is any recruitment method that can guarantee to recruit only people who can be trusted.

    Tom

Viewing 8 posts - 1 through 8 (of 8 total)

You must be logged in to reply to this topic. Login to reply