My first blog post "How to create better passwords - why bother?!" back in December, 2005, tried to briefly summarize my thoughts and comments I've been making on the most commonly accepted way of identifying yourself - passwords.
Bill Gates did a commentary on the issue, note where, at the RSA Conference, perhaps the company that's most actively building awareness on the potential/need for two-factor authentication, or anything else but using static passwords for various access control purposes. Moreover, it was again Bill Gates who wanted to integrate the Belgian eID card with MSN Messenger (Anonymity or Privacy on the Internet?) Microsoft are always reinventing the wheel, be it with antivirus, or their Passport service, and while they have the financial obligations to any of their stakeholders, I feel it's a wrong approach on the majority of occasions.
What I wonder is, are they forgetting the fact that over 95% of the PCs out there, run Microsoft Windows, and not Vista, and how many would continue to do so polluting the Internet at the bottom line. My point is that MS's constant rush towards "the next big thing" doesn't actually provides them with the resources to tackle some of the current problems, at least in a timely manner. What do you think? What could Microsoft do to actually influence the acceptance of two-factor authentication, and moreover, how feasible is the concept at the bottom line?
Technorati tags :
security, microsoft, authentication, passwords
Showing posts with label Authentication. Show all posts
Showing posts with label Authentication. Show all posts
Thursday, February 16, 2006
The end of passwords - for sure, but when?
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Wednesday, December 07, 2005
How to create better passwords - why bother?!
I have recently came across a practical article on how to create a better passwords, couresy of CSO Magazine.
It reminded me of how many times I find myself actually getting into
the science of passwords maintenance and creation in order to enforce
real-life, cost-effective scenarios, while on the other hand, get myself
seriously concerned on how easy it is to have your accounting data abused!
During the years I have written several articles, like this one - Creating and Maintaining Strong Passwords, mainly with the idea to actually provide a pragmatic approach on tackling weak, and prone to be cracked passwords. The result, at least from a sniffing point of view *grin* was that most of my friends lacking security knowledge, were indeed getting concerned by their easy to guess passwords. Later on, they were turning them into entire passphrases with the idea to avoid not having them cracked. That's an example of a "false feeling of security".
And while it was a progress compared to how predictable their passwords really were, strong passwords doesn't address the following issues that I later on covered in another article - Passwords - Common Attacks and Possible Solutions, namely, passwords can be :
- Sniffed
- Recovered
- Unintentionally shared
- Keylogged
- etc.
Recently, both from a CSO's point of view, and the financial industry, two factor authentication, has been gaining a lot of acceptance, in my opinion primary because of its tangibility. It greatly improves the authentication process, given the integrity of the system, and the network itself. And while from an organization's or bank's point of view providing tokens to the entire work force would represent a huge investment, I strongly feel prioritizing in respect to important customers, and executives will play an important role.
During the years I have written several articles, like this one - Creating and Maintaining Strong Passwords, mainly with the idea to actually provide a pragmatic approach on tackling weak, and prone to be cracked passwords. The result, at least from a sniffing point of view *grin* was that most of my friends lacking security knowledge, were indeed getting concerned by their easy to guess passwords. Later on, they were turning them into entire passphrases with the idea to avoid not having them cracked. That's an example of a "false feeling of security".
And while it was a progress compared to how predictable their passwords really were, strong passwords doesn't address the following issues that I later on covered in another article - Passwords - Common Attacks and Possible Solutions, namely, passwords can be :
- Sniffed
- Recovered
- Unintentionally shared
- Keylogged
- etc.
Recently, both from a CSO's point of view, and the financial industry, two factor authentication, has been gaining a lot of acceptance, in my opinion primary because of its tangibility. It greatly improves the authentication process, given the integrity of the system, and the network itself. And while from an organization's or bank's point of view providing tokens to the entire work force would represent a huge investment, I strongly feel prioritizing in respect to important customers, and executives will play an important role.
On October 12, 2005, the Federal Financial Institutions Examination Council, released its Guidance on Authentication in Internet Banking Environment, thereby enforcing the use of advanced, compared to passwords based only, authentication approaches.
Would it work? I doubt so, but it limits the age-old attacks we are so used to seeing in respect to passwords.
Bruce Schneier has been discussing the dangers of the two factor authenticaion buzz, and as far as online banking is concerned, Candid Wüest has written a very good paper on Today's threats to online banking,
namely the techniques discussed fully apply to any type of
authentication. Passwords are out of the topic, even two factor
authentications has its good and bad sides to it comes to end users'
awareness, implementation and configuration.
What are the practical alternatives these days?
Password Safe
is a bit unpractical(still works for lots of people out there) in
today's interconnected world, namely, a HDD crash for instance would
cause a lot of trouble to everyone, let's not mention the "availability"
of the data. Just1Key
seems to solve this problem to a certain extend. I also recommend you
verify the strenght of your passwords by taking advantage of the Password Strenght Meter ComputerWeekly, are also running an article "Security : have passwords had their day?",
they sure haven't, at least not on a large scale, the way I've always
wanted to see it - One Time Passwords in Everything! Check out RSA's One-Time Password Specifications , the concept in itself has the time frame advantage!
Further reading on the topic can be found at :
Technorati tags :
Independent Security Consultancy, Threat Intelligence Analysis (OSINT/Cyber Counter Intelligence) and Competitive Intelligence research on demand. Insightful, unbiased, and client-tailored assessments, neatly communicated in the form of interactive reports - because anticipating the emerging threatscape is what shapes the big picture at the end of the day. Approach me at dancho.danchev@hush.com
Subscribe to:
Comments (Atom)