Stories
Slash Boxes
Comments

SoylentNews is people

DHS Warns Against “Password Spray” Brute Force Attacks

posted by Fnord666 on Sunday May 12 2019, @01:41PM   Printer-friendly
from the horse-battery-staple-correct dept.

MrPlow writes:

Submitted via IRC for AndyTheAbsurd

The DHS recently issued a warning against the use of common and or easily guessed passwords after several government agencies have been targeted by "password spray" attacks.

It seems that the world outside of technologists will never listen to advice regarding strong passwords, not reusing passwords, not writing passwords down, etc. If you're an administrator and have the ability to do so - for the love of Dog, please enable TOTP (https://en.wikipedia.org/wiki/Time-based_One-time_Password_algorithm) or something similar - and remember that SMS is far too easy to spoof to be considered a secure method of delivering one-time passwords."

Source: SC Magazine

Original Submission

 
This discussion has been archived. No new comments can be posted.
DHS Warns Against “Password Spray” Brute Force Attacks | Log In/Create an Account | Top | 30 comments | Search Discussion
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.

  • (Score: 2) by FatPhil on Monday May 13 2019, @11:00AM (1 child)

    by FatPhil (863) <{pc-soylent} {at} {asdf.fi}> on Monday May 13 2019, @11:00AM (#842947) Homepage
    Thanks for the clarification. Not being an "app" user, it wasn't obvious to me that the "app" would store the shared secret. It's a bit copyable for my liking, which I consider should be hard for a security token (something you have), contrasting against something you know, which is duplicated every time it's used.

    I write my password down on a post-it note, and am so lazy I enter it using OCR via the webcam - is that something I know, or something I have.
    --
    Great minds discuss ideas; average minds discuss events; small minds discuss people; the smallest discuss themselves
    Starting Score:    1  point
    Karma-Bonus Modifier   +1  
    Total Score:   2  

  • (Score: 0) by Anonymous Coward on Tuesday May 14 2019, @02:43AM

    by Anonymous Coward on Tuesday May 14 2019, @02:43AM (#843237)

    A written-down password is something you know, changing the medium doesn't change the original threat model reason for that authentication mode. If you are having a hard time with this, think of the TOTP token like an SSH key. The fact that you could theoretically remember all the parameters and a hundreds, if not thousands, of bits long pseudorandom number doesn't change the fact that it is supposed to be something you carry around in the proper form for authentication, as opposed to being locked in your memory.