Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Comments
Why FIDO Alliance Standards Will Kill Passwords
Newest First  |  Oldest First  |  Threaded View
DonT733
50%
50%
DonT733,
User Rank: Apprentice
3/31/2014 | 8:02:10 PM
Just wondering when the FIDO Presentation might have some more content.
In a word, the presentation just affirmed VPN certificates with passwords to unlock them.  Thanks for revisiting private password key stores for the protection of digital certificates.  Is there any more content?

Passwords are not good, there just cheap.  My MacBook Air Pro, due to flashram drives acheived 6 billion password combinations per second in August of 2013.  This pretty much means passwords less than 12 places with full complexity have less than 50/50 odds to remain uncracked in less than 90 days.  

Please send IT Auditors to me.  I want to present what I have and am offerring a voluntary pledge.  "I will never again claim that an 8 place password is an adequate security meaure."  For those that must use only numbers in their passwords, 18 places are needed to compensate for the lack of complexity.  At least, so says my Mac -- running a Windows 7 VM running John the Ripper at 6 Billion Combinations per Second, while the Mac side runs AV and edits word simultaniously.

You know, the second factor tool account password cracked and the full Pen Test Check Mate of their Domain Controller fell out rather quickly after that.

Yes, I would say that 8 place passwords are closer to public endangerment rather than InfoSec security.    

 

 

 

 

 

 
windk
50%
50%
windk,
User Rank: Apprentice
3/19/2014 | 4:29:35 PM
Re: Couldn't happen too soon!
A good fiction (but apparently soon to be non-fiction) read about this is Dave Eggers' The Circle : "The Circle, run out of a sprawling California campus, links users' personal emails, social media, banking, and purchasing with their universal operating system, resulting in one online identity and a new age of civility and transparency." (Alfred A. Knopf, 2013).
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
2/27/2014 | 8:31:38 AM
Re: Couldn't happen too soon!
Hi Spaz! I just gor my new iPhone with the biometric fingerprint reader. So I can tell you first hand how user friendly it is. Stay tuned!
Spaz
50%
50%
Spaz,
User Rank: Apprentice
2/26/2014 | 10:46:49 PM
Re: Couldn't happen too soon!
Nothing is infallible I suppose. While I don't know the technical aspects of fingerprint readers.  Apple feels very good about fingerprint scanners and so does Samsung. They both allow you to access your device with the fingerprint scanner. I imagine that one would have to get some training in how to pick up fingerprint. You'd need to buy fingerprint kits as well. I am definitely not for retina scanners since they have a lot of radiation. 
SeanKelly
50%
50%
SeanKelly,
User Rank: Apprentice
2/26/2014 | 5:26:39 PM
Re: Couldn't happen too soon!
I agree with your comment on corporate passwords but I disagree strongly with the comment on fingerprints. Fingerprints are not a password replacement. Fingerprints are usernames. Fingerprints aren't secret, you leave them everywhere and you can't change them (easily) when they have been compromised. Fingerprints should never be used as passwords.
Spaz
0%
100%
Spaz,
User Rank: Apprentice
2/22/2014 | 5:02:05 PM
Re: Couldn't happen too soon!
passwords especially corporate passwords are a complete pia. it's frustrating how the passwords have to be changed so often and how they have to fall within certain parameters eg. 8 charaters, has to containt this and that, etc. until another worthy solution is provided, we all need fingerprint readers instead. this will certainly help both the IT admins and employees as well.
ANON1241486907214
100%
0%
ANON1241486907214,
User Rank: Apprentice
2/21/2014 | 9:56:36 AM
Re: Couldn't happen too soon!
Can imagine what technology would make private keys safe. At least with passwords, the NSA has to spend some effort in guessing or intercepting them.  Any kind of centralized system  would immediately fall prey to government security agencies, and eventually to other players.
djameson910
100%
0%
djameson910,
User Rank: Apprentice
2/20/2014 | 3:22:42 PM
Stolen Device
So, if someone steals my device, they have access to all my stuff?  How does my device know me from an interloper?
Marilyn Cohodas
100%
0%
Marilyn Cohodas,
User Rank: Strategist
2/18/2014 | 4:14:40 PM
Couldn't happen too soon!
Phil, I doubt that there's a consumer or IT person on this planet that doesn't pray for the day that passwords will be replaced with a manageable autentication process. But what are some of the hurdles that the industry has to overcome to reach that point? Is there broadbased agreement on the FIDO standards or are there competing technologies or ideas?  


COVID-19: Latest Security News & Commentary
Dark Reading Staff 9/25/2020
9 Tips to Prepare for the Future of Cloud & Network Security
Kelly Sheridan, Staff Editor, Dark Reading,  9/28/2020
Malware Attacks Declined But Became More Evasive in Q2
Jai Vijayan, Contributing Writer,  9/24/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
How IT Security Organizations are Attacking the Cybersecurity Problem
How IT Security Organizations are Attacking the Cybersecurity Problem
The COVID-19 pandemic turned the world -- and enterprise computing -- on end. Here's a look at how cybersecurity teams are retrenching their defense strategies, rebuilding their teams, and selecting new technologies to stop the oncoming rise of online attacks.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-17098
PUBLISHED: 2020-09-30
Use of hard-coded cryptographic key vulnerability in August Connect Wi-Fi Bridge App, Connect Firmware allows an attacker to decrypt an intercepted payload containing the Wi-Fi network authentication credentials. This issue affects: August Connect Wi-Fi Bridge App version v10.11.0 and prior version...
CVE-2020-15731
PUBLISHED: 2020-09-30
An improper Input Validation vulnerability in the code handling file renaming and recovery in Bitdefender Engines allows an attacker to write an arbitrary file in a location hardcoded in a specially-crafted malicious file name. This issue affects: Bitdefender Engines versions prior to 7.85448.
CVE-2020-5132
PUBLISHED: 2020-09-30
SonicWall SSL-VPN products and SonicWall firewall SSL-VPN feature misconfiguration leads to possible DNS flaw known as domain name collision vulnerability. When the users publicly display their organization’s internal domain names in the SSL-VPN au...
CVE-2020-15216
PUBLISHED: 2020-09-29
In goxmldsig (XML Digital Signatures implemented in pure Go) before version 1.1.0, with a carefully crafted XML file, an attacker can completely bypass signature validation and pass off an altered file as a signed one. A patch is available, all users of goxmldsig should upgrade to at least revisio...
CVE-2020-4607
PUBLISHED: 2020-09-29
IBM Security Secret Server (IBM Security Verify Privilege Vault Remote 1.2 ) could allow a local user to bypass security restrictions due to improper input validation. IBM X-Force ID: 184884.