29. January 2012 · Comments Off on Anticipating The Future of User Account Access Sharing · Categories: blog · Tags: ,

Anticipating The Future of User Account Access Sharing.

Insightful post by Lenny Zeltser regarding teenagers and adults sharing sharing accounts. i.e. sharing passwords.

Of course, those of us in security find this horrifying. Teenagers see this as a way of expressing affection. Adults in business do this to expedite accomplishing goals.

Can Security Awareness Training effectively communicate the risks of this behavior?

29. December 2011 · Comments Off on Troy Hunt: 5 website security lessons courtesy of Stratfor · Categories: blog · Tags: ,

Troy Hunt: 5 website security lessons courtesy of Stratfor.

This wasn’t intended to be a Stratfor-bashing post, rather it’s an opportunity to see the fate which awaits those who don’t take website security seriously. Call it a quick reality check if you will.

Insightful lessons to be learned from analyzing the Stratfor breach:

  1. There doesn’t need to be a reason for you to be hacked
  2. The financial abuse of your customers will extend long and far
  3. Your customers’ other online services will be compromised
  4. Saltless password hashes are a thin veneer of security
  5. Your dirty software laundry will be aired quickly
Regarding #3 above, Bellovin’s article about passwords is relevant.

Roger Grimes at InfoWorld's Security Central wrote a very good article about password management. I agree with everything he said, except Roger did not go far enough. For several of Roger's attack types password guessing, keystroke logging, and hash cracking, one of the mitigation techniques is strong (high entropy) passwords.

True enough. However, I am convinced that it's simply not possible to memorize really strong (high entropy) passwords.

I wrote about this earlier and included a link to a review of password managers.

18. August 2009 · Comments Off on Gmail vulnerability shows the value of strong (high entropy) passwords · Categories: Authentication, Malware, Risk Management, Security Management, Security Policy · Tags: , , , , , , , , ,

Weak passwords and other password issues continue to be the bane of every security manager's existence. Becky Waring from Windows Secrets reports on a Gmail vulnerability where an attacker can repeatedly guess your password using Gmail's, "Check for mail using POP3"
capability. This is a service Gmail provides that enables you to use an email client rather than the Gmail browser interface. You can read the details of the vulnerability at Full Disclosure.

The unfortunate reality is that we have reached a point in the evolution of technology that if an attacker is in a position to implement an unimpeded repetitive "guessing" attack on your password, like this Gmail vulnerability, there is no password you can remember that can survive the attack. In other words, if you can remember the password, it's too weak, and it will be cracked.

NIST Special Publication 800-63 rev1 "Electronic Authentication Guideline" Appendix A (Page 86) discusses the concepts of password strength (entropy) in detail.

The only way you can really protect yourself is by using an automated password manager. LifeHacker has a very good review of the top choices available.One of the side benefits of these products, is that you should not have to physically type your passwords, thus reducing the risk associated with keyloggers, which I discussed in previous posts here and here.

Steve Gibson has a site called Perfect Passwords that automatically generates high entropy passwords.

At the very least, follow the advice in Becky Waring's column.