DailyDirt: Is It Time To Change Your Passwords (Again)?
from the urls-we-dig-up dept
Passwords are an everyday part of life now, but so are stories of millions of people having their login credentials stolen. It's easy to say that everyone should use better passwords, but how many people really want to remember to constantly change their passwords or get a 2-factor authentication call regularly just to check their emails? Sure, there are some systems that make it a bit easier to deal with 2-factor authentication, but the vast majority of users don't want to be bothered with the hassle at all. Here are just a few more security-related links to push you into re-thinking password laziness.- A password like "MargaretThatcheris110%SEXY" isn't that secure against offline high-speed password cracking. Humans are really bad at making up random passwords, but that's what you need to do to maximize the security of your passwords. So we're back to suggestions like "correct horse battery staple" and other random (and long) passwords. [url]
- If only ransomware used weak passwords to decrypt files, maybe some folks wouldn't be so inconvenienced. But if you're a victim of a ransomware scheme, there's at least one decryption program from Kaspersky Lab that might help you out. [url]
- Windows 10 is going to support biometric logins using face recognition, iris detection and fingerprint scanners. Does anyone think this is really a significant advancement? The challenge of using various biometric systems doesn't seem like a solved problem just yet. [url]
Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.
Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.
While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.
–The Techdirt Team
Filed Under: biometrics, face recognition, fingerprints, passwords, ransomware, security, two factor authentication, windows 10
Companies: kaspersky lab, microsoft
Reader Comments
Subscribe: RSS
View by: Time | Thread
Step 2: Create a password safe using said password.
Step 3: Randomly generate unique web passwords.
Step 0: Buy a new computer and install a sig verified Linux iso, selecting full disk installation and using another diceware password.
[ link to this | view in chronology ]
Re:
[ link to this | view in chronology ]
Why not in a hosted data center? Because there's the issue of how your host gets the decryption key during startup so it can mount the volume. All practical methods allow the attacker to get the plaintext key if he could access the encrypted volume, so it might as well not be encrypted. If it's not encrypted, nobody gets fooled into thinking it's secured against things it isn't.
[ link to this | view in chronology ]
Re:
A tool for its purpose. Full disk encryption has its worth. I'd also use it on desktop in case some bogus investigation has police wanting to snoop through my private files.
[ link to this | view in chronology ]
Re: Re:
[ link to this | view in chronology ]
[ link to this | view in chronology ]
What I'd like to see
Enough that even high speed offline decryption is going to stumble over even a single password, let alone an entire ISP worth.
Bandwidth is cheap these days, and you could easily drag and drop a picture chosen from your photo album into the password field. Only you'd know which picture (out of thousands, tens of thousands, even millions) is the password and since it's one of your pictures, not something chosen from a server menu, it's even more unique.
It wouldn't even need to be a picture. It could be a music file, a PDF, even your favorite ebook in plain text.
The file extension could be an added security measure -- Suppose you only had GIFs in your album, and the server is expecting a PNG? How many hackers will know to convert your password image to another format even if they know what image you use?
[ link to this | view in chronology ]
Re: What I'd like to see
[ link to this | view in chronology ]
Re: Re: What I'd like to see
Each picture will be different enough to count as a totally different image if used as a password.
Yes, a million is a low bar when guessing a password but that's a million per person on the planet, and that assumes that each of those people on the planet takes absolutely identical pictures with absolutely identical cameras of absolutely identical things under absolutely identical conditions at absolutely identical times and then picks exactly the same pictures to keep on their phone.
Somehow, I suspect the number that results will be a lot higher than one in a million.
[ link to this | view in chronology ]
Re: What I'd like to see
But it still suffers many of the other weaknesses of passwords, of course, since it's really just a password. These weaknesses include the ability to be sniffed or copied, etc.
It also has a usability problem in that you have to have the image/song/whatever file with you to log in.
I think a better solution is to use authentication certs, although that shares the problem of having to supply a file to log in.
[ link to this | view in chronology ]
Re: Re: What I'd like to see
All the usual measures applied to password security can also be applied to the idea, and who says it has to be your only line of defense?
People use key fob tokens now as an added security measure. The same goes for master password devices. Both are something you need to have with you to login.
[ link to this | view in chronology ]
[ link to this | view in chronology ]
Biometric logins
I certainly don't. The state of the technology is such that none of these schemes are terribly secure -- certainly nowhere near as secure as a reasonably chosen password.
Using them to unlock your cell phone is reasonable, since most of the unlock screens on cell phones aren't very secure anyway so there's no net reduction in security.
Using them in situations where you want strong security (such as logins) is just begging for trouble.
[ link to this | view in chronology ]