One Article Review
| Source |  NoticeBored |
|---|---|
| Identifiant | 409086 |
| Date de publication | 2017-09-06 16:33:56 (vue: 2017-09-06 16:33:56) |
| Titre | NBlog September 6 - passwords are dead |
| Texte |  I've blogged about passwords several times. It's a zombie topic, one that refuses to go away or just lie down and die quietly.On CISSPforum, we've been idly chatting about user authentication for a week or so. The consensus is that passwords are a lousy way to authenticate, for several reasons.First the obvious. Passwords are:Hard to remember, at least good ones are, especially if we are forced to think up new ones periodically for no particular reason;Generally weak and easily guessed, due to the previous point;Sometimes generated and issued not chosen or changeable by the user;Readily shared or disclosed (e.g. by watching us type), or written down;Readily obtained by force, coercion, deception and other forms of social engineering such as phishing or password reset tricks, or interception, or hacking, or brute force attacks, or spyware or .. well clearly there are lots of attacks;Often re-used (for different sites/apps etc., and over time).Next comes some less obvious, more pernicious lousiness:Badly-designed sites/systems sometimes prevent us using strong passwords (e.g. they must be less than 20 characters with no spaces nor special characters ...; must be typed or clicked manually - no automation allowed);Poor guidance on choosing passwords encourages poor choices, Passwords are sometimes weakened covertly by even lousier sites/systems (e.g. we can enter complex 50 character passwords but they only actually use 6, or store them in plaintext, or use a pathetically weak or broken hashing algorithm, often without a salt ...).In short, passwords are not a reliable way to authenticate people. As a security control, they are weak to mediocre at best, not strong ... which is obvously |
| Envoyé | Oui |
| Condensat | cool passwords ;poor about access accessing accounts activity actually address algorithm allowed allows app apps are are:hard around attacks attacks;often authenticate authenticated authentication authorizing automation away bank bankid based been behaving best bingo biometrics blogged broken brute but called can card changeable character characteristics characters chatting check choices choosing chosen cisspforum clearly clicked codes coercion comes complex concern confirm consensus continuous control conventinal coordinates covertly credentials cryptographic dead deadlong deception designed details device die different differently disclosed down down;readily due during easily encourages engineering enrolled enter especially etc even factor federated first force forced forms from gambling generally generated good gps guessed guidance hacking handle hardware has hashing have idea idly imei information interception interested interesting issued just keys large least less lie live locational logged login lost/stolen lots lousier lousiness:badly lousy making manually matters mechanisms mediocre mobile mobiles model monitoring more moved multi multifactor: must nblog need new next nor normally not obtained obvious obvously often one ones only operating organizations originally other over particular password passwords passwordsmartin pathetically payments people periodically pernicious phishing piece pin pins plaintext plus point;sometimes poor presumably prevent previous process quietly really reason;generally reasons refuses reliable remember reset salt scheme security september serves session several shared short sites sites/apps sites/systems social software some sometimes spaces special spyware start started store strong successful such suddenly supplementing sweden swedish swiss system system + telling than them theory think time times token topic transactions tricks type typed typing use used user user;readily using various watching way weak weakened week well whatever when which without working written your zombie |
| Tags | |
| Stories | |
| Notes | |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.