HideOnly 2 days left to get your copy of the CIA's declassified training game by backing CIA: Collect It All on Kickstarter »
HideOnly 2 days left to get your copy of the CIA's declassified training game by backing CIA: Collect It All on Kickstarter »

DailyDirt: Is It Time To Change Your Passwords (Again)?

from the urls-we-dig-up dept

Passwords are an everyday part of life now, but so are stories of millions of people having their login credentials stolen. It's easy to say that everyone should use better passwords, but how many people really want to remember to constantly change their passwords or get a 2-factor authentication call regularly just to check their emails? Sure, there are some systems that make it a bit easier to deal with 2-factor authentication, but the vast majority of users don't want to be bothered with the hassle at all. Here are just a few more security-related links to push you into re-thinking password laziness. After you've finished checking out those links, take a look at our Daily Deals for cool gadgets and other awesome stuff.

Reader Comments

Subscribe: RSS

View by: Time | Thread


  • identicon
    Anonymous Coward, 22 Apr 2015 @ 5:34pm

    Step 1: Create a master password using Diceware.

    Step 2: Create a password safe using said password.

    Step 3: Randomly generate unique web passwords.

    Step 0: Buy a new computer and install a sig verified Linux iso, selecting full disk installation and using another diceware password.

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 22 Apr 2015 @ 5:35pm

      Re:

      *full disk encryption

      reply to this | link to this | view in chronology ]

      • icon
        TKnarr (profile), 22 Apr 2015 @ 5:46pm

        Full-disk encryption won't protect you from most attacks. They most often occur when your system's operating normally and decrypting the disk for the attacker. It only protects you against physical theft of the drive or, in hosted data centers, access to the physical drives your volumes reside on. I'd only use it on a mobile device that was at a relatively high risk of being stolen.

        Why not in a hosted data center? Because there's the issue of how your host gets the decryption key during startup so it can mount the volume. All practical methods allow the attacker to get the plaintext key if he could access the encrypted volume, so it might as well not be encrypted. If it's not encrypted, nobody gets fooled into thinking it's secured against things it isn't.

        reply to this | link to this | view in chronology ]

        • identicon
          Anonymous Coward, 22 Apr 2015 @ 6:00pm

          Re:

          It only protects you against physical theft of the drive or, in hosted data centers, access to the physical drives your volumes reside on. I'd only use it on a mobile device that was at a relatively high risk of being stolen.

          A tool for its purpose. Full disk encryption has its worth. I'd also use it on desktop in case some bogus investigation has police wanting to snoop through my private files.

          reply to this | link to this | view in chronology ]

  • identicon
    Anonymous Coward, 22 Apr 2015 @ 6:22pm

    that biometric business sounds like a great way to benefit the snoops.

    reply to this | link to this | view in chronology ]

  • icon
    Bergman (profile), 22 Apr 2015 @ 8:50pm

    What I'd like to see

    Is the ability to use a captcha-like image AS a password. How many characters does even a small PNG represent?

    Enough that even high speed offline decryption is going to stumble over even a single password, let alone an entire ISP worth.

    Bandwidth is cheap these days, and you could easily drag and drop a picture chosen from your photo album into the password field. Only you'd know which picture (out of thousands, tens of thousands, even millions) is the password and since it's one of your pictures, not something chosen from a server menu, it's even more unique.

    It wouldn't even need to be a picture. It could be a music file, a PDF, even your favorite ebook in plain text.

    The file extension could be an added security measure -- Suppose you only had GIFs in your album, and the server is expecting a PNG? How many hackers will know to convert your password image to another format even if they know what image you use?

    reply to this | link to this | view in chronology ]

    • identicon
      Anonymous Coward, 22 Apr 2015 @ 9:16pm

      Re: What I'd like to see

      you could easily drag and drop a picture chosen from your photo album into the password field. Only you'd know which picture (out of thousands, tens of thousands, even millions) is the password and since it's one of your pictures, not something chosen from a server menu, it's even more unique.
      That's basically a shared secret. If you want to do that, run it through sha1sum and use that as your password. It's secure as long as nobody else has the picture. "Millions" is an extremely low bar for password strength, though, and the system should be considered broken if anyone gets access to your image set. You'd be better off with a password manager (less worry about accidentally posting or deleting your password, with less metadata generated--e.g. thumbnails); the only downside is that malware will obviously want to target the well-known ones.
      The file extension could be an added security measure -- Suppose you only had GIFs in your album, and the server is expecting a PNG? How many hackers will know to convert your password image to another format even if they know what image you use?
      If they know which image it is, it's an obvious thing to try--especially since you've posted the idea in public, and there are only a few common formats. It's little more than security through obscurity. Plus, unless the server has some intelligence, it'll break when you upgrade your PNG encoder. If the server's going to have intelligence it'd be better off implementing TOTP or some kind of PKI.

      reply to this | link to this | view in chronology ]

      • icon
        Bergman (profile), 25 Apr 2015 @ 5:24pm

        Re: Re: What I'd like to see

        Ten people take a picture of the same thousand locations. The spot they are standing on is different by an inch each. The angle they are looking at is different by a degree each.

        Each picture will be different enough to count as a totally different image if used as a password.

        Yes, a million is a low bar when guessing a password but that's a million per person on the planet, and that assumes that each of those people on the planet takes absolutely identical pictures with absolutely identical cameras of absolutely identical things under absolutely identical conditions at absolutely identical times and then picks exactly the same pictures to keep on their phone.

        Somehow, I suspect the number that results will be a lot higher than one in a million.

        reply to this | link to this | view in chronology ]

    • icon
      John Fenderson (profile), 23 Apr 2015 @ 10:30am

      Re: What I'd like to see

      Your suggestion has merit, but it's no panacea. In effect, the image (or song, or whatever) is no different than any other password except that it's a LOT longer -- and longer passwords are better passwords.

      But it still suffers many of the other weaknesses of passwords, of course, since it's really just a password. These weaknesses include the ability to be sniffed or copied, etc.

      It also has a usability problem in that you have to have the image/song/whatever file with you to log in.

      I think a better solution is to use authentication certs, although that shares the problem of having to supply a file to log in.

      reply to this | link to this | view in chronology ]

      • icon
        Bergman (profile), 25 Apr 2015 @ 5:28pm

        Re: Re: What I'd like to see

        My solution was an idea for how to generate a long enough, random enough password to be problematic for a brute force attempt to get through, yet still be simple enough for users to remember.

        All the usual measures applied to password security can also be applied to the idea, and who says it has to be your only line of defense?

        People use key fob tokens now as an added security measure. The same goes for master password devices. Both are something you need to have with you to login.

        reply to this | link to this | view in chronology ]

  • icon
    RadioactiveSmurf (profile), 23 Apr 2015 @ 6:16am

    I always like KeePass as a way of generating long, random passwords to keep things secure.

    reply to this | link to this | view in chronology ]

  • icon
    John Fenderson (profile), 23 Apr 2015 @ 10:23am

    Biometric logins

    Does anyone think this is really a significant advancement?


    I certainly don't. The state of the technology is such that none of these schemes are terribly secure -- certainly nowhere near as secure as a reasonably chosen password.

    Using them to unlock your cell phone is reasonable, since most of the unlock screens on cell phones aren't very secure anyway so there's no net reduction in security.

    Using them in situations where you want strong security (such as logins) is just begging for trouble.

    reply to this | link to this | view in chronology ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Use markdown for basic formatting. HTML is no longer supported.
  Save me a cookie
Follow Techdirt
Insider Shop - Show Your Support!

Advertisement
Report this ad  |  Hide Techdirt ads
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Chat
Advertisement
Report this ad  |  Hide Techdirt ads
Recent Stories
Advertisement
Report this ad  |  Hide Techdirt ads

Close

Email This

This feature is only available to registered users. Register or sign in to use it.