William Parcher
Show me the monkey!
- Joined
- Jul 26, 2005
- Messages
- 27,477
A study says much computer security advice is not worth following.
Please do not change your password
Please do not change your password
Skeptical of Computer Security Advice
- Thread starter William Parcher
- Start date
-
- Tags
- computer security
Colloden
Graduate Poster
Cost of users time is one thing, but the report makes no mention of the value of reputation.
If your compromised and you didn’t change your users passwords on a regular basis what are you going to claim? “We lost all your financial details, but never mind, even if it costs us millions we still make an annual saving on IT support” Who would do business with you again?
If your compromised and you didn’t change your users passwords on a regular basis what are you going to claim? “We lost all your financial details, but never mind, even if it costs us millions we still make an annual saving on IT support” Who would do business with you again?
Gord_in_Toronto
Penultimate Amazing
- Joined
- Jul 22, 2006
- Messages
- 26,474
Everything in life can do with a little bit of cost benefit analysis.
My password for things that are purely social and do not involve money is the same.
If it is for things that might involve money (a site that I order stuff from) or accesses my reward points, is is the same as a above plus a couple of characters derived from the name of the site.
If it is for my on-line banking, or my e-mail or my hosting co, or otherwise involves real money, it is randomly selected from the entire set of 255 ASCII characters and is at least 8 characters long.
If I am a client site with an IT policy that forces me to change the pw on a regular basis, I work through the larger words in a corporate document I have pinned to my workstation.
YMMV & etc.
My password for things that are purely social and do not involve money is the same.
If it is for things that might involve money (a site that I order stuff from) or accesses my reward points, is is the same as a above plus a couple of characters derived from the name of the site.
If it is for my on-line banking, or my e-mail or my hosting co, or otherwise involves real money, it is randomly selected from the entire set of 255 ASCII characters and is at least 8 characters long.
If I am a client site with an IT policy that forces me to change the pw on a regular basis, I work through the larger words in a corporate document I have pinned to my workstation.
YMMV & etc.
Wudang
BOFH
I read the original article and he makes some dubious assumptions. His cost model appears rather naive for one thing - see Table 1 here and compare to ITIL Financial management
http://research.microsoft.com/users/cormac/papers/2009/SoLongAndNoThanks.
http://research.microsoft.com/users/cormac/papers/2009/SoLongAndNoThanks.
Dancing David
Penultimate Amazing
Um, considering that most people use a single password for all their accounts and that includes money access, it is a good idea to use different passwords and change them occasionally.
I have three that I use, one that I use in general, for all non-money accounts and things like that. Then i have the two old ones that I used to use, I change my main one every two years or so, but the bank ones are non dictionary ones, with numerals and non-alpaha characters.
Strangely my JREF one is unique, I have changed all the other accounts that used to have it.
I have three that I use, one that I use in general, for all non-money accounts and things like that. Then i have the two old ones that I used to use, I change my main one every two years or so, but the bank ones are non dictionary ones, with numerals and non-alpaha characters.
Strangely my JREF one is unique, I have changed all the other accounts that used to have it.
I heard a similar theory in a talk about online security. I can't remember the speaker's name, and I don't think his talk was published, so here is my half assed memory of what he said:
The speaker's position was that the security value of a strong password over a weak password was nominal at best. He presented data that showed most system breaches were either social or bypassed the password system altogether. I've heard this from other sources, but I don't have the IT background to expand on it.
His main point was that security should not be based on passwords at all. Passwords should just be the doorknob, not the lock.
It seems that every new security system I have heard of since then has had that as their basis. The latest was a system that compared the cadence of the login and password typing.
Last edited:
catsmate
No longer the 1
- Joined
- Apr 9, 2007
- Messages
- 34,767
Indeed. I was helping a client to recover from a virus outbreak recently. Despite using Microsoft Forefront, and having a design/implementation validated by Microsoft, the little bugger spread around their network faster than Surprised Little Kitten........
Note someone I'll take security advice from.
Wudang
BOFH
You should definitely change important passwords regularly as someone could easily test your account every week or so and it would be lost in the background of your normal password fails as you forgot that it was p4ssw0rd rather than p4ssword. For most internet stuff I use one of a small number of passwords, obscure gaelic placenames etc.
I used to work for a major computer company and did a lot of security work. The bible was a document that only security auditors and testers (eg me) had access to. It was a very good document (if you could read it) full of sensible advice of the form of "you should have something like...", "you should consider....". Unfortunately the auditors were all accountants who told us "the document requires you to...".
"No. Here is my copy. Hang on while I ring the author" - who was a very nice man who thought what we were doing was excellent and way past his guidelines.
Ideally it should follow the rule of "something you have, something you are, something you know" - like the RSA card I use to logon to work from home, etc.
I used to work for a major computer company and did a lot of security work. The bible was a document that only security auditors and testers (eg me) had access to. It was a very good document (if you could read it) full of sensible advice of the form of "you should have something like...", "you should consider....". Unfortunately the auditors were all accountants who told us "the document requires you to...".
"No. Here is my copy. Hang on while I ring the author" - who was a very nice man who thought what we were doing was excellent and way past his guidelines.
Ideally it should follow the rule of "something you have, something you are, something you know" - like the RSA card I use to logon to work from home, etc.
Can't stress this enough. This is a solid and sane guideline.
Fishstick
Graduate Poster
- Joined
- Jul 23, 2009
- Messages
- 1,603
In Europe (at least in Benelux, but it is true for the entire EU afaik) if a bank wants to offer online banking, it is required to offer two-factor authentication.
Most of them use a cardreader since all bank customers already have something unique on them (their debit/credit card + cardreader with challenge/response) with something they know (their pin + online bank password), so it's not a very expensive measure in the long run as the readers can be cheaply mass produced.
Wudang
BOFH
I'm sorry but are you saying that to use online banking in benelux you need a PC with a cardreader?
In the UK HSBC require your date of birth and 3 digits from your n-digit password.
KoihimeNakamura
Creativity Murderer
here it varies, my bank lets me set a user name and password. I recently rotated both (user name to something I'll flipping remember! and password to a new set I'm thinking about trying)
rjh01
Gentleman of leisure
With my bank if you do some things they require you to put in a unique password. This password is sent to my mobile phone. This means that if someone hacks into my account they will not be able to do such things as transfer money. They need my mobile phone as well.
RecoveringYuppy
Penultimate Amazing
- Joined
- Nov 29, 2006
- Messages
- 14,185
I don't have anything more than anecdote to back this opinion up but my opinion is that requirements for frequent password changes and password complexity simply force people to write their passwords down.
No, changing the password doesn't change the probability that they'll match your new password.
KoihimeNakamura
Creativity Murderer
it can. Also, uh.. that is why IT in most area specifies 'don't write it down'.
RecoveringYuppy
Penultimate Amazing
- Joined
- Nov 29, 2006
- Messages
- 14,185
Yes, but "don't write it down" is hard to enforce. Password strength and frequency of change are automatically enforced. "Don't write it down", not so much.
rjh01
Gentleman of leisure
I agree that forcing people to change their passwords is a bad idea. It leads to people forgetting their passwords. That leads to a real weakness - how to reset your password. If the procedure is to ring up the help desk and tell them you have lost your password then it might be someone else and not you.
Fishstick
Graduate Poster
- Joined
- Jul 23, 2009
- Messages
- 1,603
No, I said that a bank requires two factor authentication in order to offer online banking and that most banks do this by offering cardreaders as it is the most affordable and easiest to distribute.
Alternatives are hardware tokens that generate a one-time-password, biometrics, etc.