I have recently came across a practical article on
how to create a better passwords, couresy of
CSO Magazine.
It reminded me of how many times I find myself actually getting into
the science of passwords maintenance and creation in order to enforce
real-life, cost-effective scenarios, while on the other hand, get myself
seriously concerned on how
easy it is to have your accounting data abused!
During the years I have written several articles, like this one -
Creating and Maintaining Strong Passwords,
mainly with the idea to actually provide a pragmatic approach on
tackling weak, and prone to be cracked passwords. The result, at least
from a sniffing point of view *grin* was that most of my friends lacking
security knowledge, were indeed getting concerned by their easy to
guess passwords. Later on, they were turning them into entire
passphrases with the idea to avoid not having them cracked. That's an
example of a "false feeling of security".
And while it was a
progress compared to how predictable their passwords really were, strong
passwords doesn't address the following issues that I later on covered
in another article -
Passwords - Common Attacks and Possible Solutions, namely, passwords can be :
- Sniffed
- Recovered
- Unintentionally shared
- Keylogged
- etc.
Recently, both from a CSO's point of view, and the financial industry,
two factor authentication,
has been gaining a lot of acceptance, in my opinion primary because of
its tangibility. It greatly improves the authentication process, given
the integrity of the system, and the network itself. And while from an
organization's or bank's point of view providing tokens to the entire
work force would represent a huge investment, I strongly feel
prioritizing in respect to important customers, and executives will play
an important role.
Would it work? I doubt so, but it limits the age-old attacks we are so used to seeing in respect to passwords.
What are the practical alternatives these days?
Password Safe
is a bit unpractical(still works for lots of people out there) in
today's interconnected world, namely, a HDD crash for instance would
cause a lot of trouble to everyone, let's not mention the "availability"
of the data.
Just1Key
seems to solve this problem to a certain extend. I also recommend you
verify the strenght of your passwords by taking advantage of the
Password Strenght Meter ComputerWeekly, are also running an article "
Security : have passwords had their day?",
they sure haven't, at least not on a large scale, the way I've always
wanted to see it - One Time Passwords in Everything! Check out
RSA's One-Time Password Specifications , the concept in itself has the time frame advantage!
Further reading on the topic can be found at :
Technorati tags :
Continue reading →
Exposing Bulgaria's Largest Data Leak - An OSINT Analysis
Exposing the Black Basta Ransomware Group - Part Three
Exposing the Conti Ransomware Gang - An OSINT Analysis
Azerbaijanian Embassies in Pakistan and Hungary Serving Malware
Joining Team Astalavista.box.sk - Official Project Re-Launch - Join us Today!
Profiling a Currently Active High-Profile Cybercriminals Portfolio of Ransomware-Themed Extortion Email Addresses
New Project - Malware C&C Domains Offensive Network Reconnaissance Monitoring Project
Profiling a Currently Active Portfolio of High-Profile Cybercriminal Jabber and XMPP Accounts
Dissecting 'Operation Ababil' - an OSINT Analysis
RSS Feed