DailyDirt: Is It Time To Change Your Passwords (Again)?
from the urls-we-dig-up dept
Passwords are an everyday part of life now, but so are stories of millions of people having their login credentials stolen. It’s easy to say that everyone should use better passwords, but how many people really want to remember to constantly change their passwords or get a 2-factor authentication call regularly just to check their emails? Sure, there are some systems that make it a bit easier to deal with 2-factor authentication, but the vast majority of users don’t want to be bothered with the hassle at all. Here are just a few more security-related links to push you into re-thinking password laziness.
- A password like “MargaretThatcheris110%SEXY” isn’t that secure against offline high-speed password cracking. Humans are really bad at making up random passwords, but that’s what you need to do to maximize the security of your passwords. So we’re back to suggestions like “correct horse battery staple” and other random (and long) passwords. [url]
- If only ransomware used weak passwords to decrypt files, maybe some folks wouldn’t be so inconvenienced. But if you’re a victim of a ransomware scheme, there’s at least one decryption program from Kaspersky Lab that might help you out. [url]
- Windows 10 is going to support biometric logins using face recognition, iris detection and fingerprint scanners. Does anyone think this is really a significant advancement? The challenge of using various biometric systems doesn’t seem like a solved problem just yet. [url]
After you’ve finished checking out those links, take a look at our Daily Deals for cool gadgets and other awesome stuff.
Filed Under: biometrics, face recognition, fingerprints, passwords, ransomware, security, two factor authentication, windows 10
Companies: kaspersky lab, microsoft
Comments on “DailyDirt: Is It Time To Change Your Passwords (Again)?”
Step 1: Create a master password using Diceware.
Step 2: Create a password safe using said password.
Step 3: Randomly generate unique web passwords.
Step 0: Buy a new computer and install a sig verified Linux iso, selecting full disk installation and using another diceware password.
*full disk encryption
Full-disk encryption won’t protect you from most attacks. They most often occur when your system’s operating normally and decrypting the disk for the attacker. It only protects you against physical theft of the drive or, in hosted data centers, access to the physical drives your volumes reside on. I’d only use it on a mobile device that was at a relatively high risk of being stolen.
Why not in a hosted data center? Because there’s the issue of how your host gets the decryption key during startup so it can mount the volume. All practical methods allow the attacker to get the plaintext key if he could access the encrypted volume, so it might as well not be encrypted. If it’s not encrypted, nobody gets fooled into thinking it’s secured against things it isn’t.
Re: Re: Re: Re:
A tool for its purpose. Full disk encryption has its worth. I’d also use it on desktop in case some bogus investigation has police wanting to snoop through my private files.
Re: Re: Re:2 Re:
Or to protect you in the case of theft (of your cellphone, laptop, or desktop system).
that biometric business sounds like a great way to benefit the snoops.
What I'd like to see
Is the ability to use a captcha-like image AS a password. How many characters does even a small PNG represent?
Enough that even high speed offline decryption is going to stumble over even a single password, let alone an entire ISP worth.
Bandwidth is cheap these days, and you could easily drag and drop a picture chosen from your photo album into the password field. Only you’d know which picture (out of thousands, tens of thousands, even millions) is the password and since it’s one of your pictures, not something chosen from a server menu, it’s even more unique.
It wouldn’t even need to be a picture. It could be a music file, a PDF, even your favorite ebook in plain text.
The file extension could be an added security measure — Suppose you only had GIFs in your album, and the server is expecting a PNG? How many hackers will know to convert your password image to another format even if they know what image you use?
Re: What I'd like to see
That’s basically a shared secret. If you want to do that, run it through sha1sum and use that as your password. It’s secure as long as nobody else has the picture. “Millions” is an extremely low bar for password strength, though, and the system should be considered broken if anyone gets access to your image set. You’d be better off with a password manager (less worry about accidentally posting or deleting your password, with less metadata generated–e.g. thumbnails); the only downside is that malware will obviously want to target the well-known ones.
If they know which image it is, it’s an obvious thing to try–especially since you’ve posted the idea in public, and there are only a few common formats. It’s little more than security through obscurity. Plus, unless the server has some intelligence, it’ll break when you upgrade your PNG encoder. If the server’s going to have intelligence it’d be better off implementing TOTP or some kind of PKI.
Re: Re: What I'd like to see
Ten people take a picture of the same thousand locations. The spot they are standing on is different by an inch each. The angle they are looking at is different by a degree each.
Each picture will be different enough to count as a totally different image if used as a password.
Yes, a million is a low bar when guessing a password but that’s a million per person on the planet, and that assumes that each of those people on the planet takes absolutely identical pictures with absolutely identical cameras of absolutely identical things under absolutely identical conditions at absolutely identical times and then picks exactly the same pictures to keep on their phone.
Somehow, I suspect the number that results will be a lot higher than one in a million.
Re: What I'd like to see
Your suggestion has merit, but it’s no panacea. In effect, the image (or song, or whatever) is no different than any other password except that it’s a LOT longer — and longer passwords are better passwords.
But it still suffers many of the other weaknesses of passwords, of course, since it’s really just a password. These weaknesses include the ability to be sniffed or copied, etc.
It also has a usability problem in that you have to have the image/song/whatever file with you to log in.
I think a better solution is to use authentication certs, although that shares the problem of having to supply a file to log in.
Re: Re: What I'd like to see
My solution was an idea for how to generate a long enough, random enough password to be problematic for a brute force attempt to get through, yet still be simple enough for users to remember.
All the usual measures applied to password security can also be applied to the idea, and who says it has to be your only line of defense?
People use key fob tokens now as an added security measure. The same goes for master password devices. Both are something you need to have with you to login.
I always like KeePass as a way of generating long, random passwords to keep things secure.
I certainly don’t. The state of the technology is such that none of these schemes are terribly secure — certainly nowhere near as secure as a reasonably chosen password.
Using them to unlock your cell phone is reasonable, since most of the unlock screens on cell phones aren’t very secure anyway so there’s no net reduction in security.
Using them in situations where you want strong security (such as logins) is just begging for trouble.