Slashdot Mirror
Poor Passwords A Worse Problem Than Poor Antivirus
dasButcher writes "Viruses and worms get all the headlines, but poor password management is a worse problem according to a new study by Channel Insider and CompTIA. As Larry Walsh writes in his Security Channel blog, VARs and security service providers say they find more problems with password management than antivirus applications when they do security assessments. While password problems are nothing new, Walsh and those posting on his blog correctly assert that users remain cavalier about passwords and businesses are doing too little to address this serious vulnerability."
I think one day, we'll look back at this period of needing umpteen different 8-16 character one capital letter one alphanumeric character passwords (changed each month!) with the same horror we now regard the times when the best solution to a serious leg injury was to cut the freaking thing off. With no anasthetic. Maybe it's not directly analogous, but it's just as barbaric and wrong and crazy!
And there is no malware possible that can read what's written on a post-it note.
Security cameras. If you know what to Google you can find all sorts of security cameras on the internet.
Or just walk in and look yourself.
It's good to see Arora getting some more attention now. I've been using it now for more than half a year and I must say it's the first webbrowser I have actually liked in several. I would definetly consider it the best OSS webbrowser on linux right now, particularly if you're running KDE (although Arora is desktop agnostic, it is Qt). I've been fed up with Firefox's bloat (ever try comparing Firefox and Seamonkey these days? Guess which is heavier...) for some time and Arora is a nice change from that.
"linux is just DOS with a UNIX like syntax" -- Galactic Dominator (944134)
I'd like to make a proposition to everyone on slashdot.
For the greater good of humanity, we need to employ some social engineering. I suggest that all of us stop referring to it as a "password" and start referring to it as a "passphrase". With a little luck, it'll catch on and people will start using phrases instead of just words. This tiny change should cause people to create easily remembered passes that are in excess of 10 characters long.
+1 IDisagreeSoHeMustBeATrollOrAnAstroturferOrAShill
I remember when working for a major financial firm in Boston, they had the most ridiculous password policies for each password. We had to have at least four or five different passwords according to what you needed to access, each with their own rules and limitations (size, characters allowed etc...). Not only that, but each password expired in different intervals. So basically every week, you'd have to change at least one password making the whole damn thing impossible to remember.So, what did people do? They wrote them down in little sticky-notes. Sure, I came up with my own schemes to facilitate remembering them, but nevertheless a forgotten password was bound to happen. It amazes me how paranoid firms are about some policies, yet leave the back door wide open due to such stupidity
Due to a recent identity-theft scare I had the other day, it made me realize the importance of safe-guarding the data with good passwords. Since then, I've used KeePass to generate and store all my 20-digit random passwords that I've since never have to remember (a backup, of course, is constantly made and stored in a safe place). Either way, I'm no security expert, but it seems to me an approach like this would be much more sensible than inconsistent password policies that expire randomly. Just my $0.02
OK so I went and searched for "office security cameras" and that pretty much just turned up companies selling cameras. I then tried "office security cameras HOT XXX ACTION" and that DID yield me some results... But no passwords on sticky notes :( Rule 34 should kick in eventually, through, right?
Seriously though, I'm guessing most office security cameras are too low-res and they give a wide-area view so as to make it pretty damn difficult to be able to get someone's PW that way.
We all know most people will never use "proper" passwords, let alone "properly", quite aside from offices in which ridiculous password management policies drive people to drink^h^h^h^h^h simply writing their passwords on Post-it notes stuck to their monitors. Why not make the best of a bad situation by only insisting on reasonable passwords changed no more than once per six months, complete with freely available "wallet-sized password booklets", but which are accompanied by other methods such as once-per-session typing pattern analysis verifications or cheap magnetic stripe cards? (The obvious security problem with a magnetic stripe card in the same wallet as a password booklet, for example, can be ameliorated by insisting that the magnetic stripe cards be kept in small employee lockers, and never allowed off-premises).
The point is that a little imagination is all that is needed to make security reasonably good or at least acceptable, given that the weak link will always be the kind of muppets who insist on shoving bricks between doorjambs and ultra-high-security triple-locked doors if they are at all allowed. Sure, any security method can be defeated, but it's far easier to educate (okay, frighten) people into not removing stuff from company premises (the magnetic stripe cards) or to make them perform once-a-day monkey tricks (the typing pattern analysis verifications) than it is to make them stop writing stuff down in very insecure ways. Security will tend to be more even, and problem employees will be easier to spot.
The old saying comes to mind, "The perfect is the enemy of the good."
A truly excellent pizza parlor is a delight unto the heavens. Treasure the sauce and the toppings!
Good password policy...
Strong, not written down, regularly changed
Pick Two.
Where's the Kaboom?
There's supposed to be an Earth-shattering Kaboom.
As someone who does IT and computer work "in the field" for small local businesses in a small midwestern town, the "Just walk in and look" thing is more true than you might think. If you look like a clean-cut semi-geek with a laptop and an air of confidence, all you need to do is walk in.
Go up to the bored and underpaid secretary/receptionist who doesn't really give a flock, and say you're there to fix the computer in the back, or to fix the printer, whatever. Most likely they'll say "yeah, sure, whatever" and let you go on because they don't care, don't know, and most places DID have problems with the computer/printer/whatever the day before, and she will assume the owner called you.
Memory stick with a few choice apps, clickety click, and you can own the place whenever you want and nab whatever you want.
Oh, and all the passwords are either on a post-it on the monitor, under the keyboard, or are some variant of Password. Or, everyone knows it because it's the dogs name and ALL the passwords are the same.
"Oh, hey, can you give me the password real quick for this workstation right here?" (wants to be helpful and is embarrassed because they don't know jack about computers) "Sure, it's password123!"
One time the manager of a chiropractic/PT place was giving me access to the server because she needed me to do something, and I watched her peck in the password at 1 WPM. The password was "SPRAIN". I about busted out laughing.
Way too many places that should have security - lawer offices, medical offices, have open AP's and crap security. Actually, NO security. No backup, either. I'm turning things around as I go.
Flappinbooger isn't my real name