[x]Blackmoor Vituperative

Tuesday, 2022-05-03

Password expiration makes systems less secure

Filed under: Security,The Internet — bblackmoor @ 08:41

The consensus among security researchers has been consistent for about 15 years: forcing password expiration based on nothing but the date makes passwords less secure.


Also relevant…

Thursday, 2022-01-20

Passwords suck

Filed under: Security — bblackmoor @ 10:46

I think passwords are the “rotary telephones” of this century. They will have to go away, as soon as someone (probably in Europe, for various reasons) invents something better and then it gets adopted by several large companies and/or countries. But until then… long passwords, 2FA, and trying to get out-of-date security policies to be updated (obsolete policies such as requiring passwords to “expire”, which DECADES of security research have demonstrated make passwords less secure).

Wednesday, 2020-07-29

CyberArk releases new SkyArk tool

Filed under: Cloud Computing,Security — bblackmoor @ 10:19

Cyber-security firm CyberArk has released today a new free tool that can detect “shadow administrator accounts” inside cloud environments like Amazon Web Services (AWS) and Microsoft Azure.


Tuesday, 2011-08-16

“Complex” passwords are not more secure

Filed under: Security — bblackmoor @ 10:03

I have been saying for years that passwords, as a concept, need to go away. As implemented, passwords don’t work, and the ludicrous “complexity” requirements imposed my many companies are little more than a guarantee that the user will write their password down, which is one of the easiest ways for a system to be compromised.

Here’s a cartoon from xkcd that illustrates why ridiculous password policies don’t even make sense from a security perspective.

password strength

The gist of it is this: long passwords (passphrases, actually) are more secure than short ones.

Monday, 2011-06-20

Security cheat sheets from Veracode

Filed under: Programming,Security — bblackmoor @ 09:26

I ran across a set of tutorials and cheat sheets for a few of the more common security vulnerabilities this morning. I thought other people might find them useful. They’re from a company called Veracode. The guides are free, and they point to other free resources if you want to learn more, so they seem to be a pretty good starting point if you are interested in this sort of thing.

Saturday, 2011-06-04

Passwords are useless

Filed under: Security — bblackmoor @ 11:47

I have believed for a long while now that passwords need to go away. Further support for that position is provided by a PC Pro article called How a cheap graphics card could crack your password in under a second:

Now, I cannot imagine anyone managing to mandate a nine-character, mixed-case, random-character password on an organisation. But if you did, and you weren’t hanging from a tree by the end of the first working day, the CPU would take 43 years versus 48 days for the GPU.

He then went on to add in mixed symbols to create “F6&B is” (there is a space in there). CPU will take 75 days, GPU will take 7 hours.

What does this tell us? well, the stark reality is that even long and complex passwords are now toast. If you think you were being wise by forcing users to have randomisation in their passwords, then think again. It is utterly futile.


A GPU of the type used by this chap is not unusual or high end. It is standard-issue stuff. Indeed, I have just sat through the AMD presentation here at Computex in Taiwan, and they made a big deal about putting GPU power into netbooks offering 500Gflops, without denting its 12-hour battery life. And that’s shipping within months.

All I can say is this: you have been warned. It is time to think long and hard about password security, and how you do your authentication. This has crept up on us in the background, and we really haven’t been paying attention.

Some of us have been paying attention.

Wednesday, 2011-02-23

Avast 6

Filed under: Security — bblackmoor @ 14:44

Avast has come out with a new version of their antivirus and security software. I use Avast antivirus, and I recommend it to everyone. CNet has a review.

Tuesday, 2011-02-01

Privacy is security: secrecy is not

Filed under: Privacy,Security — bblackmoor @ 12:24

This article is worth reading. Most people have no clue about what “security” really means, including most of the people vilifying — or praising — WikiLeaks.

As becomes increasingly obvious with the passage of time, and with the advancement of digital communication (and thus copying) technologies, privacy is security, and secrecy is not.


Perhaps the most amazing thing about all this noise over the matter is that WikiLeaks is such a vulnerable, unreliable avenue for distributing such leaks. The US government’s campaign targeting WikiLeaks in an attempt to shut it down does not only betray the culture of secrecy in government to the public at large, undermining any claims to value transparency; it also showcases the simple fact that government officials just do not get it. WikiLeaks is not the cause of the “problem” for secretive government officials. It is merely a superficial indicator of much deeper problems — of a deeply flawed security model.

(from The difference between secrecy and privacy as security concepts, TechRepublic)

Thursday, 2010-03-11

A Closer Look at the PCI Compliance and Encryption Requirements of Nevada’s Security of Personal Information Law

Filed under: Privacy,Security — bblackmoor @ 17:52

In this blog post on infolawgroup.com, David Navetta takes a closer look at the PCI and encryption requirements of Nevada’s Security of Personal Information law, including the interplay between the PCI and encryption requirements, the scope of the obligations, potential problems/ambiguities in the law, and the applicability of a “safe harbor” for security breaches.

Thursday, 2010-02-11

Six easy steps to a more secure Linux server

Filed under: Linux,Security — bblackmoor @ 14:44

The actual title of the article is “Six easy steps to make a super secure Linux server”, but I think that’s hyperbole. Even so, these are some basic steps that should be followed, and they do help make a server more secure.

  1. Install latest security updates.
  2. Disable root login via SSH
  3. Disable or filter extra services
  4. Remove active guest accounts and test accounts
  5. Remove version notification
  6. Hide application errors and PHP errors

(From Six easy steps to make a super secure Linux server, Technicant)

Next Page »