Nick and Margaret: The Trouble with Our Trains is a BBC Two show featuring Nick Hewer and Margaret Mountford, who explore "the sorry state of the British rail network."
The dynamic duo's travels took them to the Wessex Integrated Control Centre, located above the platform entrances at London Waterloo railway station, manned 24 hours a day by teams of controllers from both South West Trains and Network Rail.
[The] documentary revealed more than it planned this week, exposing the passwords used at a rail control centre.
The article features a frame of the video which shows the complex login credentials taped to an LCD panel of a Windows XP terminal.
One might wonder if overstrict password policy brought this about, except obviously a strict password policy would not allow the password that is stickied to the monitor..
(Score: 2) by frojack on Monday May 04 2015, @11:40PM
There are a lot of security holes in password safes, and any thing in the clipboard on windows is pretty vulnerable to being plundered by any application.
I'd recommend the dongles. (Actually little USB keys. These are so common you can buy them on Amazon and provision them yourself. Even Google uses them for two factor. [google.com] The software for this is opensource.
Downside: Well having an open USB port is a risk anywhere in a critical infrastructure.
No, you are mistaken. I've always had this sig.
(Score: 2) by frojack on Monday May 04 2015, @11:46PM
Correction, there are a lot of security holes in SOME popular password safes. Others, not so bad.
But on windows, the clipboard is weak.
No, you are mistaken. I've always had this sig.
(Score: 2) by vux984 on Tuesday May 05 2015, @01:15AM
But on windows, the clipboard is weak.
I understand that it is a vulnerability. But I'm curious how the OSX, Android, iOS, or Linux etc clipboards are more secure than Windows?
A password manager that uses a separate non-clipboard and then is activated by a system hotkey to emit the password to the active application might work better. But it'll still fall prey to keylogging etc. So I'm not sure that accomplishes anything.
(Score: 0) by Anonymous Coward on Tuesday May 05 2015, @10:42AM
X11 has a feature that an application can secure the keyboard, so that keypresses are only sent to that single application, and none other. It seems to be rarely used for password prompts these days, though (actually the only programs that I know to activate it automatically for passwords are Emacs and locking screensavers, and the only program I know where you can enable it manually is xterm).
Of course that doesn't help against keyloggers that intercept the keyboard at a lower level; however it at least increases the difficulty (X11 keylogging can be done from the user account; I'm not sure that this is also possible for lower-level keylogging).
(Score: 2) by Geotti on Tuesday May 05 2015, @12:00AM
Downside: Well having an open USB port is a risk anywhere in a critical infrastructure.
For these cases there's the one-time tokens like SecurID [wikipedia.org]. (Of course something safer than the RSA tokens should be picked!)
(Score: 4, Interesting) by vux984 on Tuesday May 05 2015, @01:04AM
There are a lot of security holes in password safes
Yes. However I think some of them are quite good.
and any thing in the clipboard on windows is pretty vulnerable to being plundered by any application.
So what. If my system has been compromised to that degree, any password I type in manually isn't safe from being recorded either.
I'd recommend the dongles. (Actually little USB keys. These are so common you can buy them on Amazon and provision them yourself. Even Google uses them for two factor. The software for this is opensource.
Which? Stuff like Yubikey? Yes, I agree... those are a great concept. I didn't mention them for the sake of brevity and the fact that they do not in fact work for most users passwords most of the time, which was my criteria.
After all what do you do for sites and systems out of your control that don't support them?
Aa USB key can also be lost or forgotten, it can go through the washing machine, or it can simply fail,... trading "not very secure" for "so secure even i can't get in" isn't necessarily net positive. And if they leave their yubikey on their desk all the time to ensure that doesn't happen... well... how is that really much better than the note under the keyboard?
Downside: Well having an open USB port is a risk anywhere in a critical infrastructure.
USB itself isn't a security risk the way firewire or thunderbolt are, but yes. Although you can at least disable usb storage services and so forth to mitigate the risk. Or switch to the NFC version of yubikey, etc. Truly critical infrastructure should have 2ndary layers... ie... monitoring what is actually put into the usb port, people monitoring who is actually doing the putting in etc.