Stories
Slash Boxes
Comments

SoylentNews is people

DHS Warns Against “Password Spray” Brute Force Attacks

posted by Fnord666 on Sunday May 12 2019, @01:41PM   Printer-friendly
from the horse-battery-staple-correct dept.

MrPlow writes:

Submitted via IRC for AndyTheAbsurd

The DHS recently issued a warning against the use of common and or easily guessed passwords after several government agencies have been targeted by "password spray" attacks.

It seems that the world outside of technologists will never listen to advice regarding strong passwords, not reusing passwords, not writing passwords down, etc. If you're an administrator and have the ability to do so - for the love of Dog, please enable TOTP (https://en.wikipedia.org/wiki/Time-based_One-time_Password_algorithm) or something similar - and remember that SMS is far too easy to spoof to be considered a secure method of delivering one-time passwords."

Source: SC Magazine

Original Submission

 
This discussion has been archived. No new comments can be posted.
DHS Warns Against “Password Spray” Brute Force Attacks | Log In/Create an Account | Top | 30 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2, Insightful) by Anonymous Coward on Sunday May 12 2019, @02:36PM (1 child)

    by Anonymous Coward on Sunday May 12 2019, @02:36PM (#842675)

    Biometrics is not security. Biometrics only gives you "what you have" type of security, not what you know. Also, unlike OTP, you can't change your biometrics. This means that passwords will ALWAYS be de-facto authentication method. If you use anything else, you are in major trouble as someone can just steal your "credentials".

    Biometrics are useful to authenticate user with some document, like passport. But they are useless for almost everything else.

    If you have a phone, and you unlock with a fingerprint, then you are doing it wrong. If you unlock it with password or pattern, then that's OK. If then you use fingerprint to authorize some transaction or login to google, that OK (convenience), as the phone is already authenticated you with password and the fingerprint becomes authorization verification. But if you only use fingerprint, then maybe your finger becomes valuable?

    Starting Score:    0  points
    Moderation   +2  
       Insightful=2, Total=2
    Extra 'Insightful' Modifier   0  
    Total Score:   2  

  • (Score: 1) by RandomFactor on Sunday May 12 2019, @03:04PM

    by RandomFactor (3682) Subscriber Badge on Sunday May 12 2019, @03:04PM (#842688) Journal

    But if you only use fingerprint, then maybe your finger becomes valuable?

    I've never enabled fingerprint or 'face' unlocking on my devices and I can't imagine I ever will. I understand that in principle police can't currently compell an unlock [pcmag.com] using biometric data (at least until challenged/overturned) but with unlock being based on something I know instead, it becomes my decision to stand up to the wrench [xkcd.com] or not. (And none of that 'no, he left it unlocked, we didn't force his tragically broken finger onto the fingerprint reader, honest!')

    --
    В «Правде» нет известий, в «Известиях» нет правды