The consensus among security researchers has been consistent for about 15 years: forcing password expiration based on nothing but the date makes passwords less secure.
https://www.sans.org/blog/time-for-password-expiration-to-die/
Also relevant…
I think passwords are the “rotary telephones” of this century. They will have to go away, as soon as someone (probably in Europe, for various reasons) invents something better and then it gets adopted by several large companies and/or countries. But until then… long passwords, 2FA, and trying to get out-of-date security policies to be updated (obsolete policies such as requiring passwords to “expire”, which DECADES of security research have demonstrated make passwords less secure).
Cyber-security firm CyberArk has released today a new free tool that can detect “shadow administrator accounts” inside cloud environments like Amazon Web Services (AWS) and Microsoft Azure.
https://www.zdnet.com/article/new-tool-detects-shadow-admin-accounts-in-aws-and-azure-environments/?ftag=TRE-03-10aaa6b&bhid=71893585&mid=12954240&cid=716959071
I have been saying for years that passwords, as a concept, need to go away. As implemented, passwords don’t work, and the ludicrous “complexity” requirements imposed my many companies are little more than a guarantee that the user will write their password down, which is one of the easiest ways for a system to be compromised.
Here’s a cartoon from xkcd that illustrates why ridiculous password policies don’t even make sense from a security perspective.
The gist of it is this: long passwords (passphrases, actually) are more secure than short ones.
I ran across a set of tutorials and cheat sheets for a few of the more common security vulnerabilities this morning. I thought other people might find them useful. They’re from a company called Veracode. The guides are free, and they point to other free resources if you want to learn more, so they seem to be a pretty good starting point if you are interested in this sort of thing.
I have believed for a long while now that passwords need to go away. Further support for that position is provided by a PC Pro article called How a cheap graphics card could crack your password in under a second:
Now, I cannot imagine anyone managing to mandate a nine-character, mixed-case, random-character password on an organisation. But if you did, and you weren’t hanging from a tree by the end of the first working day, the CPU would take 43 years versus 48 days for the GPU.
He then went on to add in mixed symbols to create “F6&B is” (there is a space in there). CPU will take 75 days, GPU will take 7 hours.
What does this tell us? well, the stark reality is that even long and complex passwords are now toast. If you think you were being wise by forcing users to have randomisation in their passwords, then think again. It is utterly futile.
[…]
A GPU of the type used by this chap is not unusual or high end. It is standard-issue stuff. Indeed, I have just sat through the AMD presentation here at Computex in Taiwan, and they made a big deal about putting GPU power into netbooks offering 500Gflops, without denting its 12-hour battery life. And that’s shipping within months.
All I can say is this: you have been warned. It is time to think long and hard about password security, and how you do your authentication. This has crept up on us in the background, and we really haven’t been paying attention.
Some of us have been paying attention.
Avast has come out with a new version of their antivirus and security software. I use Avast antivirus, and I recommend it to everyone. CNet has a review.
This article is worth reading. Most people have no clue about what “security” really means, including most of the people vilifying — or praising — WikiLeaks.
As becomes increasingly obvious with the passage of time, and with the advancement of digital communication (and thus copying) technologies, privacy is security, and secrecy is not.
[…]
Perhaps the most amazing thing about all this noise over the matter is that WikiLeaks is such a vulnerable, unreliable avenue for distributing such leaks. The US government’s campaign targeting WikiLeaks in an attempt to shut it down does not only betray the culture of secrecy in government to the public at large, undermining any claims to value transparency; it also showcases the simple fact that government officials just do not get it. WikiLeaks is not the cause of the “problem†for secretive government officials. It is merely a superficial indicator of much deeper problems — of a deeply flawed security model.
(from The difference between secrecy and privacy as security concepts, TechRepublic)
In this blog post on infolawgroup.com, David Navetta takes a closer look at the PCI and encryption requirements of Nevada’s Security of Personal Information law, including the interplay between the PCI and encryption requirements, the scope of the obligations, potential problems/ambiguities in the law, and the applicability of a “safe harbor” for security breaches.
The actual title of the article is “Six easy steps to make a super secure Linux server”, but I think that’s hyperbole. Even so, these are some basic steps that should be followed, and they do help make a server more secure.
(From Six easy steps to make a super secure Linux server, Technicant)
Powered by WordPress
![[x]](/images/sigil_md.jpg)
Blackmoor Vituperative