A Strong Password Isn't the Strongest Security

Discussion in 'other security issues & news' started by trismegistos, Sep 10, 2010.

Thread Status:
Not open for further replies.
  1. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
    A Strong Password Isn’t the Strongest Security
    Continue reading from here... http://www.nytimes.com/2010/09/05/business/05digi.html
    or http://finance.yahoo.com/news/A-Strong-Password-Isnt-the-nytimes-3369144559.html

    ---
    Well yeah. Why crack an uncrackable password, when you can have a keylogger installed via drive-by download or by social engineering or a redirect to a phising site.
     
    Last edited: Sep 10, 2010
  2. hugsy

    hugsy Registered Member

    Joined:
    May 22, 2010
    Posts:
    167
    Hm, if you go with LUA+SRP and regular updates, i guess you are "relatively" safe from drivebys. And to protect your system from someone who has direct access to it, i would go with neo' safekeys or any other virtual keyboard, that gives you the (extra) protection from the keyloggers (specially those installed in or on your keyboard) or whole disk encryption (good against some installing keylogger on your machine, although wouldn't prevent hardware keyloggers but in combination with virtual keyboard it does improve your chances).

    "If you don't have it, they can't get it." Keep your passwords in your head and NOT in some containers. If it is possible try to reduce amount of important and sensitive data to minimum.
     
  3. HAN

    HAN Registered Member

    Joined:
    Feb 24, 2005
    Posts:
    2,080
    Location:
    USA
    I am no expert by any means in computer security but I too firmly believe that password insanity is often blown way out of proportion.

    I know he is hated by many but Kevin Mitnick's books were good eye openers for me on hacking. Yes, passwords can be/were/are used for hacks. But most of the time, they either aren't needed or the passwords used by hackers are the defaults that were never changed when systems were originally set up.

    Having/using a good password is important. When you set up something new (PC, firewall, whatever) change the default password to a good one, keep your equipment up to date with security patches, practice some basic security procedures and use some common sense and you'll likely be ok...
     
  4. ABee

    ABee Registered Member

    Joined:
    Jun 2, 2010
    Posts:
    330
  5. hugsy

    hugsy Registered Member

    Joined:
    May 22, 2010
    Posts:
    167
    Great articles, the last lines say it all.

    "For years, I have said that the easiest way to break a cryptographic product is almost never by breaking the algorithm, that almost invariably there is a programming error that allows you to bypass the mathematics and break the product. A similar thing is going on here. The easiest way to guess a password isn't to guess it at all, but to exploit the inherent insecurity in the underlying operating system."
     
  6. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
  7. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    Imagine you take out of the equation the following:

    * Drive-by downloads
    * Social engineering
    * Exploits
    * Phishing
    * etc

    Imagine everyone knew all about security and had their systems protected.

    You do not have a strong password in place. You may be protected against virtual danger, but are you protected against "physical" danger, coming from people, like someone having a grunge at you, who knows you e-mail address and happens to have knowledge of how to try to crack passwords? The strongest the password is, the better, no? The more often you change them, the better, no?

    It's all very relative.
     
  8. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
    What are the chances that someone who have a grudge at you be in front of your physical computer computer in your own locked down home as against drive by downloads, phising, social engineering etc.?

    When will be the time everyone knew about security and had their systems protected? A Security utopia. Chances are they have a secure password in place.

    What the article stated is proper perspective and reality check.
     
  9. chronomatic

    chronomatic Registered Member

    Joined:
    Apr 9, 2009
    Posts:
    1,343
    Easy on Linux. Just encrypt it when you install the OS. You can encrypt every partition except /boot. If you don't want to reinstall you can merely follow this guide.
     
    Last edited: Sep 11, 2010
  10. m00nbl00d

    m00nbl00d Registered Member

    Joined:
    Jan 4, 2009
    Posts:
    6,623
    I think you misunderstood me.

    I just took out from the equation what I mentioned, to make things clear. Of course, not so many users are security aware.

    But, I only wanted to show that having a strong password in place makes all the difference. Not to keyloggers, because if not protection is set in place to fight this, then game is over, but to fight people outside the virtual world.

    Is a password like bacon that will stand its ground against someone who knows what you'r e-mail address is and has skills to put hands on some cracker or even to build one? No, it isn't. But, if you've got a very stong password set, then it sure will make that person give up, unless he/she owns a system with a lot processing power.

    I'm wondering what are the passwords those folks that write such articles are. Things like mom, dad, some footbal team name?

    I'm curious about that.

    Now, if they have said a strong password plus protection to prevent keyloggers, then I'd applaud.

    I couldn't access the nytimes site, but, in the boston link and in the yahoo links provided, I see no mention of whatsoever for any sort of product that could help users against keyloggers.

    They say not to change or have strong and secure passwords, but they lack to actually explain how millions of users can protect themselves.

    The way I see it, is just (one) more(s) articles(s) to shout out: We're smart people. We know stuff.

    I'm sick and tired of such articles. WTH... why don't they simply tell people how they can protect themselves? Is it that hard? Or, they just write what they hear from others, without actually knowing what they're writing about?
     
  11. trismegistos

    trismegistos Registered Member

    Joined:
    Jan 29, 2009
    Posts:
    365
    :thumb:
    I agree in everything you have said. Just pointing out that in the real world, one have to weigh in the dangers and what are the chances. A person who has a data gold mine and doing online banking would need to have more extra ordinary measures. Both you and that writer have some points and have no real conflict or just have different viewpoints.

    You need to register to access the article in nytimes. That's the reason, I gave the alternative link. Well, I guess the writer is not advertising or promoting any product. But security writers will do a great service to you and me by clearly pointing out how ordinary folks in a simple manner will be able to protect themselves from cybercrooks or to persons that might pry or do some nasty stuff. Oh how I wish, it's that simple.

    Well, one simple thing they can do is direct people to Wilder's as there are many security experts willing to help. ;) /jk
     
    Last edited: Sep 11, 2010
  12. wearetheborg

    wearetheborg Registered Member

    Joined:
    Nov 14, 2009
    Posts:
    667
    Thanks :thumb:

    I didnt know partitions could be encrypted during install (debian).

    Encrypting the swap partition should ensure that the passwords used for truecrypt etc are not written to disc.

    Anyone know how to encrypt swap file in windows?
     
  13. hugsy

    hugsy Registered Member

    Joined:
    May 22, 2010
    Posts:
    167
    Remove it :)
     
Loading...
Thread Status:
Not open for further replies.