28 Matching Annotations
  1. Apr 2020
    1. Take a moment to consider the alternative. No, not the IT department's fantasy world, that never-gonna-happen scenario where you create a strong, unique password for every account, memorize each one, and refresh them every few months. We both know it's not like that. The reality is that in your attempts to handle all those passwords yourself, you will commit the cardinal sin of reusing some. That is actually far more risky than using a password manager. If a single site that uses this password falls, every account that uses it is compromised.
    1. Password reuse is a serious problem because of the many password leaks that occur each year, even on large websites. When your password leaks, malicious individuals have an email address, username, and password combination they can try on other websites. If you use the same login information everywhere, a leak at one website could give people access to all your accounts. If someone gains access to your email account in this way, they could use password-reset links to access other websites, like your online banking or PayPal account.
    1. Here you can do some social good; we know how much passwords are reused and the reality of it is that if they've been using that password on one service, they've probably been using it on others too. Giving people a heads up that even an outgoing password was a poor choice may well help save them from grief on a totally unrelated website.
    2. I'm providing this data in a way that will not disadvantage those who used the passwords I'm providing.
    3. As such, they're not in clear text and whilst I appreciate that will mean some use cases aren't feasible, protecting the individuals still using these passwords is the first priority.
    1. "Changing your password is definitely the right start," Tyler Carbone, chief strategy officer at secure provider Terbium Labs said. "The other thing users need to remember is that with this password exposed, it cannot be trusted for any other services either, so they need to make sure they aren't reusing it."
    1. Google figures that since it has a big (encrypted) database of all your passwords, it might as well compare them against a 4-billion-strong public list of compromised usernames and passwords that have been exposed in innumerable security breaches over the years. Any time Google hits a match, it notifies you that a specific set of credentials is public and unsafe and that you should probably change the password.
    1. Download the billions of breached passwords and blacklist them all. Attackers have a copy; so should you.
    2. A user need only remember the master password for the password manager — preferably something like a seven-word diceware passphrase, easy to remember, hard to crack.
    3. "If someone knows your old passwords, they can catch onto your system. If you're in the habit of inventing passwords with the name of a place you've lived and the zip code, for example, they could find out where I have lived in the past by mining my Facebook posts or something."Indeed, browsing through third-party password breaches offers glimpses into the things people hold dear — names of spouses and children, prayers, and favorite places or football teams. The passwords may no longer be valid, but that window into people's secret thoughts remains open.
    4. These massive dumps of free passwords lower the cost of an attack dramatically. Password reuse or password guessing attacks are script kiddie stuff. Defending your organization against such threats is basic due diligence.
    5. Single-factor authentication based on "something you know" (e.g., a password) is no longer an acceptable best practice. "I'm pretty well convinced passwords are a horrible system," Professor Douglas W. Jones of the University of Iowa, says
    1. There is MiniKeePass on the iOS App Store, but I'm not sure if I trust it not to make off with my data. Also, syncing between my PC and the app would be a pain. (1Password has local WiFi sync) There is also KeeFox for Firefox integration, but I'm not sure if I trust that either. In short, I trust KeePass itself, but I'm not sure if I can trust the third-party developers of the mobile app and browser extension.
    1. Seriously, the lesson I'm trying to drive home here is that the real risk posed by incidents like this is password reuse and you need to avoid that to the fullest extent possible
    1. In 2017 NIST (National Institute of Standards and Technology) as part of their digital identity guidelines recommended that user passwords are checked against existing public breaches of data. The idea is that if a password has appeared in a data breach before then it is deemed compromised and should not be used. Of course, the recommendations include the use of two factor authentication to protect user accounts too.
    2. Here at Twilio we’re fans of using a second factor to protect user accounts, but that doesn’t mean we’ve forgotten the first factor. Encouraging users to pick strong passwords is still the first line of defence for their accounts.
  2. Mar 2020
    1. Another problem with simple login-based authentication is that there is no way to control how much access an individual third-party application gets: it's an all-or-nothing deal based on whether you are willing to give the program your password.
    2. When third-party software runs amok with your login information for a Web application, the only way to stop it in some cases is to change your password
    1. One article even proclaims the death of passwords for gaming apps because of this new trend. This could signal a big change for security (assuming every user has a mobile number).
  3. Apr 2019