Forum menu
Re 2FA, bit of an exception, but we were in Swaledale the other week and the village has no cellular coverage. I can get some texts (iMessage etc) and make calls over Wifi but I couldn't do any bank stuff as 2FA SMS messages couldn't get through....
and xkcd forums have been breached.....
https://nakedsecurity.sophos.com/2019/09/03/xkcd-forums-breached/
One of the companies i contract for has introduced a ridiculously complex system for passwords, because they were worried about peoples laptops being breached. Thing is, there are pretty much likely situations for laptops, and none of the measures introduced actually help in either case:
1) accidntally lost laptop (left on train) Fair enough, this happens (a lot) . However, if someone finds a lost laptop on a train, and is not honest enough to hand it in to lost property, what do they do with it? I'm going to suggest that 999,999 out of a million they are just going to sell in on ebay or in the local pub for a quick buck. In that case, any basic password means it'll just get wiped and re-installed, or even if they crack the p/w, they aren't going to spend more than a few sec looking at the hard drive for top secret info, they'll just delete the user stuff.
2) Arch villans steal critical laptop at knife/gun point to get critical company info. In this case, they'll just put a knife to the throat of the laptop owner and say "password or you're dead" which means any password is irrelevant
So I've just tried a password manager for the first time (1Password). From what I understand, in order to convert my reasonably easy to remember, but probably not that secure passwords for over 200 websites using 1Password, I need to go to a website, navigate to "change your password" in that website, open the password manager app, navigate to "generate a password", copy the resulting long, secure, password generated in the app and paste it into the website, then associate/ save the password in the app. Then repeat 200+ times. Sounds like a lot of hassle to me? Not sure what I was expecting, but something a bit more automated 😕
Could I just generate my own random passwords (by smearing my finger across the keyboard) and asking Chrome / Google to remember the password (a prompt to do this usually appears) and ditch the app?
Not sure what I was expecting, but something a bit more automated
Visit website click change password ask iCloud to generate password. Done.
Then repeat 200+ times.
I just waited until I needed to access a site then did it with Lastpass setting the password values so yes 200+ times but not all in one go.
then forgot my Lastpass password and failed the re-authentication so I now have very secure passwords on lots of sites but no access to find out what they are...
From what I understand, in order to convert my reasonably easy to remember, but probably not that secure passwords for over 200 websites using 1Password, I need to go to a website, navigate to “change your password” in that website, open the password manager app, navigate to “generate a password”, copy the resulting long, secure, password generated in the app and paste it into the website
Chrome does this really well.
@Roger_Mellie I would be checking the have I been pwned site and changing any accounts that show up there first. Then on an as you need basis until it's done.
You may also be able to thin out the number of passwords by deleting those you no longer use.
Chrome does this really well.
Yup I’m not sure there’s such a need for 3rd partly ones now.
Cool, thanks folks for the replies. I was being a bit dramatic there. I'll stick with chrome and do a bit of website / password husbandry.
It’s the changing of passwords that pisses me off. If someone knows your password, they know it. They’re not going to hang on for 30 days and then use it! “Oh shit they’ve changed it!”
Yeah, we have to do this with the phones and tablets we use at work. Thing is, none are used for anything financial or for any kind of personal reasons, the data is purely concerned with the condition and location on site of cars that we are repairing or storing. All of those cars are easily visible from the road, and anyone can get apps that will give all of the history of a car just from its registration, so having to keep changing the password is pointless, because, as has been pointed out, everyone just thinks of a word and adds a number sequence to the end.
This is possibly the geekiest thread I’ve seen on STW for a while.
Love it, it’s the reading version of listening to the shipping forecast to me. Keep it up!
I would be checking the have I been pwned site and changing any accounts that show up there first.
... and anywhere else where you've used the same credentials.
Microsoft's security baseline take on things is interesting (they've recently dropped any recommendation to expire them, this is in a domain setting).
Why are we removing password-expiration policies?
First, to try to avoid inevitable misunderstandings, we are talking here only about removing password-expiration policies – we are not proposing changing requirements for minimum password length, history, or complexity.
Periodic password expiration is a defense only against the probability that a password (or hash) will be stolen during its validity interval and will be used by an unauthorized entity. If a password is never stolen, there’s no need to expire it. And if you have evidence that a password has been stolen, you would presumably act immediately rather than wait for expiration to fix the problem.
If it’s a given that a password is likely to be stolen, how many days is an acceptable length of time to continue to allow the thief to use that stolen password? The Windows default is 42 days. Doesn’t that seem like a ridiculously long time? Well, it is, and yet our current baseline says 60 days – and used to say 90 days – because forcing frequent expiration introduces its own problems. And if it’s not a given that passwords will be stolen, you acquire those problems for no benefit. Further, if your users are the kind who are willing to answer surveys in the parking lot that exchange a candy bar for their passwords, no password expiration policy will help you.
Our baselines are intended to be usable with minimal if any modification by most well-managed, security-conscious enterprises. They are also intended to serve as guidance for auditors. So, what should the recommended expiration period be? If an organization has successfully implemented banned-password lists, multi-factor authentication, detection of password-guessing attacks, and detection of anomalous logon attempts, do they need any periodic password expiration? And if they haven’t implemented modern mitigations, how much protection will they really gain from password expiration?
Periodic password expiration is an ancient and obsolete mitigation of very low value, and we don’t believe it’s worthwhile for our baseline to enforce any specific value. By removing it from our baseline rather than recommending a particular value or no expiration, organizations can choose whatever best suits their perceived needs without contradicting our guidance. At the same time, we must reiterate that we strongly recommend additional protections even though they cannot be expressed in our baselines
I like the not-so-subtle dig at users being the weakest link :p
The biggest argument I can see in favour of password expiration is online shopping sites (which rarely do it).
If I have to set up an account somewhere to shop that account is, in effect, 'live' for ever - if the password is stolen then it's available to use in perpetuity.
I'd rather if I didn't shop somewhere for 6 weeks or whatever that they expired the password and I had to reset it to shop again.
There's probably little 'harm' that could come from an account I used once and never used again being compromised and if I'm worried about the password being stolen I should use a unique one for each site but the thought of their being possibly hundreds of active accounts that I've setup in the past 20 years and rarely if ever use does worry me a little - as much because changes may occur in future that gives value to access to such accounts by third parties.
I like the not-so-subtle dig at users being the weakest link
I particularly like the subtle dig at auditors, who IME when I did this sort of thing were complicit in preventing more risk-appropriate password policies from being adopted.
they’ve recently dropped any recommendation to expire them
... in line with current NCSC guidelines.
https://www.infosecurity-magazine.com/blogs/password-requirements-from-ncsc-1/
The other thing to think about is validation questions - mother’s maiden name, that kind of thing. I always make a point of defining the place I was born as ‘correcthorsebatterystaple’ and my favourite colour as ‘ketchupthecortina’ - or words to that effect...
I wonder how many people's favourite colour is 'What'?