SoylentNews is people
SoylentNews
Submitted via IRC for AndyTheAbsurd
Somewhere in Western Australia, a government IT employee is probably laughing or crying or pulling their hair out (or maybe all of the above). A security audit of the Western Australian government released by the state’s auditor general this week found that 26 percent of its officials had weak, common passwords -- including more than 5,000 including the word “password" out of 234,000 in 17 government agencies.
The legions of lazy passwords were exactly what you -- or a thrilled hacker -- would expect: 1,464 people went for “Password123” and 813 used “password1." Nearly 200 individuals used “password” -- maybe they never changed it to begin with?
Almost 13,000 used variations of the date and season, and almost 7,000 included versions of “123.”
[...] The traditional guidelines for strong passwords -- make them long and complicated, use symbols and a mix of upper and lowercase letters, change them regularly -- were making it easier for hackers, Paul Grassi of the National Institute of Standards and Technology told NPR last June. The organization’s current guidelines for good passwords are that they should be simple, long and easy to remember. It suggests using normal English words and phrases that are easy for users but tougher on hackers.
If you want to keep your accounts secure, pick something that’s lengthy and memorable, and if you change it, switch more than a single letter or digit. And for heaven’s sake, don’t use the word “password.”
(Score: 0) by Anonymous Coward on Friday August 24 2018, @12:39PM (1 child)
The smart cards were always a hassle, but the company I work at has mostly switched over to TPM+PIN for logins. From the user perspective, they have to setup a PIN on every computer they use and have to use 2-factor auth when they need to use their password instead (e.g. to verify their identity to setup their PIN). My understanding is that the PIN works like the PIN to log into an encrypted smartphone: there's a "secure chip" of some kind that stores the user's private key and releases it when presented with the proper PIN and is designed to resist attempts to brute force or otherwise trick it into giving up the private key. How well those protections work is another question, but those attacks involve physical access to the computer, at which point they could have just installed a keylogger to grab a password.
Passwords are really poor for security for many reasons; one of them is that humans are bad at coming up with and remembering complex enough ones that they are actually difficult to guess. If an organization's computer use patterns mostly involve employees logging in from a small number of machines assigned to them, then private key login is a fairly minor burden for the users (if the user always uses the same computer, then it could probably be set up so the user doesn't even know the difference). And should probably be combined with a password manger that generates passwords for you for any services the user needs to log in to that do require a password.
(Score: 1) by Ethanol-fueled on Friday August 24 2018, @10:38PM
We use RSA SecurID, which is fucking wonderful (in before NSA hacked lolz) because you can use the number pad to type it all in with one hand, with none of the infuriating bullshit password requirements which cause users to use passwords like "Password123" etc.