Forcing Strong Passwords
-
My favorite (!) was an application I had to use last summer: the application allowed me to create a relatively strong password including special characters, but the login screen silently ignored special characters. What a frustrating merry-go-round that was!
-
I've found that Google Authenticator is practical for authenticating onto AWS.
I wish I hadn't put a strong password on my phone. The number of times I've wanted to use the camera in a hurry and couldn't.
Strong passwords are a misnomer given the computing power available today
-
One problem with strong passwords being used at work is when you work for a multinational, and find yourself RDP'ing onto a server, and failing to realise that your password is being mangled as the server at the far end is mis-reading your keyboard input. Damnit, I'm used to the # sign being to the right of the apostrophe, not at shift-3!
Thomas Rushton
blog: https://thelonedba.wordpress.com -
David.Poole (2/18/2016)
I've found that Google Authenticator is practical for authenticating onto AWS.I wish I hadn't put a strong password on my phone. The number of times I've wanted to use the camera in a hurry and couldn't.
Strong passwords are a misnomer given the computing power available today
My iPhone, and I think my wife's Android, allow camera use without a password. You are limited to the pictures you take in the session and cant' see others, but it has worked well for me.
Follow me on Twitter: http://www.twitter.com/way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com -
I'm not convinced that guessing or brute forcing passwords is the method most hackers use to break into accounts. One problem is that folks re-use the same password across multiple sites, and when one password is compromised, perhaps because it was used to login from a public or shared PC, then it opens up their e-mail, online banking, and everything. For example, let's assume you're sitting at the bus stop and login into your NetFlix account over the open wifi. Someone can easily eavesdrop to discover your NetFlix password. Also, if you login to a public PC or your PC is stolen, a hacker can use a tool like NirSoft to grab login credentials cached in the web browsers or other application forms.
"Do not seek to follow in the footsteps of the wise. Instead, seek what they sought." - Matsuo Basho
-
Open WiFi is a problem. There was a Slashdot post yesterday discussing the Barcelona Mobile World Congress, where Avast set up "...3 public Wi-Fi spots at the local airport and waited to see how many users would connect. In just 4 hours, more than 2,000 users used the free hotspots, despite the fact that they knew nothing about the WiFi network, if it was safe, or who was running it."
Myself, I will occasionally use an open WiFi router, but if I need to do something that requires anything remotely confidential, I'll turn on my iPhone's hotspot.
-----
[font="Arial"]Knowledge is of two kinds. We know a subject ourselves or we know where we can find information upon it. --Samuel Johnson[/font] -
Sun Life Financial has the most ridiculous password requirements I've ever seen, and I even wrote them e-mail about it 3 years ago. Nothing has changed since then. And they are not some online flowers shop, they are insurance\financial organization.
They don't allow passwords more than 10 characters long and also don't allow anything rather then letters and numbers, no special characters, not even a hyphen:
But at the same time at their security page they recommend using special characters in the passwords!
Alex Suprun -
My old bank was like that. I moved my account for a few reasons, but this was one.
Follow me on Twitter: http://www.twitter.com/way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com -
My bank doesn't allow special characters either. I found that very odd. One would think banks would have been the absolute first ones to implement strong passwords.
-
When I see a site that doesn't allow special characters, I automatically assume they aren't scrubbing or analyzing their inputs and just don't want to deal with them, and we all know how that can turn out....http://xkcd.com/327/
-
So what are your views on Apple resisting the FBI'S request to unlock that iPhone?
Just so my colours are nailed to the mast I'm against the phone being cracked.
Once a method for cracking a supposedly secured device has been executed then, irrespective of it being a single device, you have proven the device insecure.
The impact of cracking the iPhone is far more negative than the positives. The phone represents one strand of evidence
-
David.Poole (2/27/2016)
So what are your views on Apple resisting the FBI'S request to unlock that iPhone?Just so my colours are nailed to the mast I'm against the phone being cracked.
Once a method for cracking a supposedly secured device has been executed then, irrespective of it being a single device, you have proven the device insecure.
The impact of cracking the iPhone is far more negative than the positives. The phone represents one strand of evidence
Completely against Apple, and other vendors, being asked to put in backdoors or crack products.
Absolutely for the FBI or other Law Enforcement organizations doing what they can, within the law, to crack encryption.
Follow me on Twitter: http://www.twitter.com/way0utwest
Forum Etiquette: How to post data/code on a forum to get the best help
My Blog: www.voiceofthedba.com -
The iPhone case is a tough one, I'm on Apple's side to not break the system. The SBPD, as directed by the FBI, screwed the pooch on this one. The phone was the guy's work phone, owned by the city (or county, I don't remember) of San Bernardino, and the FBI directed their IT guy to change the password on the phone. This broke the phone's ability to auto-sync when connected to known WiFi, which made breaking in to it infinitely more difficult.
Aside from that, the shooters practiced very thorough operational security. They destroyed their computer's hard drive and otherwise left very little when it comes to a data trail. The FBI has all of the information of who was called or texted from that iPhone because that's stored at the cell provider's network. What they don't have is any iMessages, because those are routed through Apple's servers in a strongly encrypted format, but ONLY IF THE RECEIVER HAS AN IPHONE. They also don't have any downloaded apps, but Apple should be able to provide that info. Since you can't sideload any apps to an un-jailbroken iPhone, that's all there is to that.
But the shooters didn't destroy the iPhone. In light of their other opsec, I agree with the SB sheriff that the phone is unlikely to contain any significant information. If they were in contact with others plotting acts of terrorism, they were with other devices and those devices are long gone.
There's an excellent article on this from the viewpoint of a professional computer forensic examiner. Many recent posts on this guys' blog are related to this.
The French Police said that the attack that killed 130 people was conducted on standard cell phones with plain text messages and no encryption. The attack was not detected in advance by intelligence agencies. So why is normal policing ineffective in light of cryptography? Why is breaking everyone's privacy and security going to make us safer when attacks with zero opsec go undetected until they happen?
Contrary to what the FBI has asked for, they have another 13 requests in to Apple to break other phones. And apparently the NY Attorney General has 'a room full' of iPhones just waiting for the courts to finish ruling against Apple. Apple has said they'll take this to the Supreme Court if they have to, and I really hope they'll rule in Apple's favor.
-----
[font="Arial"]Knowledge is of two kinds. We know a subject ourselves or we know where we can find information upon it. --Samuel Johnson[/font] -
Wayne West (2/29/2016)
There's an excellent article on this from the viewpoint of a professional computer forensic examiner.An eye-opening and jaw-dropping read! I know next to nothing when it comes to legal matters and so this really exposed me to the harsh reality of what Apple would have to deal with. If I read it correctly, it would seem the FBI is proceeding illegally ([paraphrased], "Make us a tool and we promise you can have it back. We promise! We promise!"). Could Apple turn the tables?
Thanks for posting it.
-
thisisfutile (2/29/2016)
Wayne West (2/29/2016)
There's an excellent article on this from the viewpoint of a professional computer forensic examiner.An eye-opening and jaw-dropping read! I know next to nothing when it comes to legal matters and so this really exposed me to the harsh reality of what Apple would have to deal with. If I read it correctly, it would seem the FBI is proceeding illegally ([paraphrased], "Make us a tool and we promise you can have it back. We promise! We promise!"). Could Apple turn the tables?
Thanks for posting it.
I was doing SQL Server 4 back in the '90s at a major police department when they started their first computer forensics unit. Watching the hoops through which they jumped gave me a great appreciation and respect for proper chain of custody and standards when it came to computer forensics.
At the same job I attended an alleged seminar by the FBI on hacking and was insulted by an agent who jokingly accused me of being a criminal hacker because I knew the difference between 2600 Hz and 2600 GHz, something that I'd known since grade school. I lost a tremendous amount of respect for the FBI when that happened.
-----
[font="Arial"]Knowledge is of two kinds. We know a subject ourselves or we know where we can find information upon it. --Samuel Johnson[/font]
Viewing 15 posts - 16 through 30 (of 33 total)
You must be logged in to reply to this topic. Login to reply