SoylentNews is people
SoylentNews
Submitted via IRC for AndyTheAbsurd
The DHS recently issued a warning against the use of common and or easily guessed passwords after several government agencies have been targeted by "password spray" attacks.
It seems that the world outside of technologists will never listen to advice regarding strong passwords, not reusing passwords, not writing passwords down, etc. If you're an administrator and have the ability to do so - for the love of Dog, please enable TOTP (https://en.wikipedia.org/wiki/Time-based_One-time_Password_algorithm) or something similar - and remember that SMS is far too easy to spoof to be considered a secure method of delivering one-time passwords."
Source: SC Magazine
This discussion has been archived.
No new comments can be posted.
DHS Warns Against “Password Spray” Brute Force Attacks
|
Log In/Create an Account
| Top
| 30 comments
| Search Discussion
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
And tomorrow will be like today, only more so.
-- Isaiah 56:12, New Standard Version
(Score: 2) by Hyperturtle on Sunday May 12 2019, @02:11PM (2 children)
I wonder when the day is coming when those biometric readers, like the fingerprint readers built into power buttons and touch screens, plus the cameras that enable facial recognition... are mandatory. But they will call it convenience and security when it happens, I am sure. I expect it'll get driven by free services like social media or 'profressional' ones like office 365 and various internet only applications that want to make it easy for someone to be tracked/log in from anywhere.
It is not like biometric data is kept private and secured. Facebook even was suing a few states in the US crying that biometric privacy laws were onerous regulations that denied them profits because they had to adhere to actual restrictions on biometric data use. I can't imagine Microsoft easily removing Windows Hello and all the data that security feature has managed to gather. Many modern devices now have fingerprint readers built into the power buttons and/or touch screens. It is not even possible in some cases to turn a device on without giving up biometric data to do so.
Ah privacy and security is so easy and often expected that we hand it away for free in exchange for a service, and yet often so unnattainably expensive to buy back. Often the services involved don't even have the option.
But more importantly, use a good password while you still can. If the government is complaining that passwords are hard, then it likely won't be long before an alternative is used. That would make it a lot easier to share data between various organizations, because really, sharing passwords is insecure, but losing control of your biometric data is described as safe.
(Score: 2, Insightful) by Anonymous Coward on Sunday May 12 2019, @02:36PM (1 child)
Biometrics is not security. Biometrics only gives you "what you have" type of security, not what you know. Also, unlike OTP, you can't change your biometrics. This means that passwords will ALWAYS be de-facto authentication method. If you use anything else, you are in major trouble as someone can just steal your "credentials".
Biometrics are useful to authenticate user with some document, like passport. But they are useless for almost everything else.
If you have a phone, and you unlock with a fingerprint, then you are doing it wrong. If you unlock it with password or pattern, then that's OK. If then you use fingerprint to authorize some transaction or login to google, that OK (convenience), as the phone is already authenticated you with password and the fingerprint becomes authorization verification. But if you only use fingerprint, then maybe your finger becomes valuable?
(Score: 1) by RandomFactor on Sunday May 12 2019, @03:04PM
I've never enabled fingerprint or 'face' unlocking on my devices and I can't imagine I ever will. I understand that in principle police can't currently compell an unlock [pcmag.com] using biometric data (at least until challenged/overturned) but with unlock being based on something I know instead, it becomes my decision to stand up to the wrench [xkcd.com] or not. (And none of that 'no, he left it unlocked, we didn't force his tragically broken finger onto the fingerprint reader, honest!')
В «Правде» нет известий, в «Известиях» нет правды