Jump to content
one...two...tree

Password advice from the father of the firewall

By one...two...tree in Off Topic

 Share

19 posts in this topic

Recommended Posts

one...two...tree Grand Master

one...two...tree   2,762

Posted
Filed: Country: Philippines
 Timeline
Posted

By Larry Greenemeier

As more and more personal business is conducted online, passwords (make that dozens of passwords) have become a necessary evil of daily life. We all know the rules for coming up with good passwords, or at the very least we hopefully know there are rules—choose an alphanumeric combination, don't write it down, don't use it for multiple accounts, etc.

Despite this guidance, "people are lousy at picking passwords that computers can't guess, especially computers with multi-core processors," Bill Cheswick said at a cyber security conference held recently at New York Institute of Technology. Cheswick has some credibility in this area. In addition to his current position as lead member of AT&T Research's technical staff, he played a key role in developing the first firewall systems more than two decades ago.

The cyber security pioneer ran through about a dozen different corporate password creation policies from a variety of companies and concluded, "These rules don't make anything more secure." Even the longest and most complicated password is useless if it fall into the wrong hands.

Cheswick offered instead his "non-moronic password rule": A password should be an alphanumeric combination that a family member or friend can't guess in five tries, and it should be complex enough so a person can't figure it out by watching you type it one time. If you need a reminder, rather than writing down the password itself, write down something that will remind you of the password.

It's also important to weigh the value of the information you are protecting. Cheswick breaks this down to three levels. The "who cares?" category is for any account that simply provides access to information, such as an online subscription to The New York Times. If someone steals the password, the most they can do is read the publication or perhaps fill out a survey, so feel free to reuse passwords for these sites.

Other accounts deserve more protection and their passwords should be created and guarded more carefully. On one level are accounts where it would be "inconvenient" if a password were stolen, but the consequences (i.e. someone ordering a book via your Amazon.com account) could be rectified with some effort. Accounts demanding the highest level of protection are those that enable you to access bank accounts, trade stocks or otherwise deal with financial matters.

Of course, the bad guys have all sorts of ways of stealing your log-in information, and many of these thefts are no fault of the password holder, Cheswick said. Some of the most common ways for passwords to be stolen are through keystroke loggers, phishing attacks and password database hacks.

Keystroke loggers are typically installed on a person's computer without their knowledge when they download software or images from unsavory or compromised Web sites. Phishing attacks are delivered via e-mails posing to be from your bank, credit card provider or some other seemingly trusted source. Clicking on links in these bogus e-mails will take you to equally bogus Web sites created to resemble a bank or credit card company's site. When you try to log in, your information is captured. Hackers often attack password databases (such as those maintained by financial institutions or Internet service providers) directly, where they can steal dozens or even hundreds of passwords.

In these cases, much of the security burden falls on your bank, Internet service provider or whomever else is in charge of protecting your information. One way for them to improve security is to limit the number of password guesses, locking an account if the limit is exceeded. Unlocking such accounts should also be carefully thought through. If a Web site offers a secondary question for authentication, that question should be related to the password rather than you yourself, Cheswick said, noting that it's not too difficult to figure out the "maiden name" of a person's mother.

link

spookyturtle Grand Master

spookyturtle   9,466

Posted
Timeline
Posted

I use this password for all my accounts,

asdjfp89u43384kfv9240945krgfg7we557249re48478+)&$#$%^*()_)GFGHlwejsdu97er4j39fndsflar9845dsk;/..//;03e89hjddghdetge484889f8dofjdpofjdpfujapdf87uq0rufjpu3409346543@#@#%^&**()_+++JHTERFGhsdyodq9e67sdyuoE67UJ0398430948UJNML;75F#$%^*()_)+osjjohU0F9I039847777@@@###$%%^^&*()_)_+jhhgttrdssetASDKFJ;ASDFJAPOFIUW0E87Q23404R705R8723R89=23458234785WEPOIFDJA;DFJ0A97`12037478485895858376236656^^&(&**(&^8$3#$@542542543267*^I*%^8(^098_89_+8_)&*()^^89&&%^((*&(^&%&%$HNHFNVSDHFDFHPWERUQPWER4782348URPAHDLAHDFOASDYDY9QW87E6796ATUIHHOIUYHOUIOIOIU871251272529837340-374%^$()_+{p}}}|||'//.,<<>?MJHGTYWY7EWEYE

It took a while to memorize, but I feel it is quite secure.

R.I.P Spooky 2004-2015

mawilson Grand Master

mawilson   2,133

Posted
Filed: Country: United Kingdom
 Timeline
Posted

I use this password for all my accounts,

asdjfp89u43384kfv9240945krgfg7we557249re48478+)&$#$%^*()_)GFGHlwejsdu97er4j39fndsflar9845dsk;/..//;03e89hjddghdetge484889f8dofjdpofjdpfujapdf87uq0rufjpu3409346543@#@#%^&**()_+++JHTERFGhsdyodq9e67sdyuoE67UJ0398430948UJNML;75F#$%^*()_)+osjjohU0F9I039847777@@@###$%%^^&*()_)_+jhhgttrdssetASDKFJ;ASDFJAPOFIUW0E87Q23404R705R8723R89=23458234785WEPOIFDJA;DFJ0A97`12037478485895858376236656^^&(&**(&^8$3#$@542542543267*^I*%^8(^098_89_+8_)&*()^^89&&%^((*&(^&%&%$HNHFNVSDHFDFHPWERUQPWER4782348URPAHDLAHDFOASDYDY9QW87E6796ATUIHHOIUYHOUIOIOIU871251272529837340-374%^$()_+{p}}}|||'//.,<<>?MJHGTYWY7EWEYE

It took a while to memorize, but I feel it is quite secure.

Not anymore.

biden_pinhead.jpgspace.gifrolling-stones-american-flag-tongue.jpgspace.gifinside-geico.jpg
Saddle Bronc Grand Master

Saddle Bronc   124

Posted
Filed: Citizen (apr) Timeline
Posted
Passwords will soon be obsolete. Biometrics is the way to go in the future.
Careful--that has already been rendered obsolete on-screen (Diamonds Are Forever, Never Say Never Again, Codename Foxfire). :lol:

2005/07/10 I-129F filed for Pras

2005/11/07 I-129F approved, forwarded to NVC--to Chennai Consulate 2005/11/14

2005/12/02 Packet-3 received from Chennai

2005/12/21 Visa Interview Date

2006/04/04 Pras' entry into US at DTW

2006/04/15 Church Wedding at Novi (Detroit suburb), MI

2006/05/01 AOS Packet (I-485/I-131/I-765) filed at Chicago

2006/08/23 AP and EAD approved. Two down, 1.5 to go

2006/10/13 Pras' I-485 interview--APPROVED!

2006/10/27 Pras' conditional GC arrives -- .5 to go (2 yrs to Conditions Removal)

2008/07/21 I-751 (conditions removal) filed

2008/08/22 I-751 biometrics completed

2009/06/18 I-751 approved

2009/07/03 10-year GC received; last 0.5 done!

2009/07/23 Pras files N-400

2009/11/16 My 46TH birthday, Pras N-400 approved

2010/03/18 Pras' swear-in

---------------------------------------------------------------------

As long as the LORD's beside me, I don't care if this road ever ends.

mawilson Grand Master

mawilson   2,133

Posted
Filed: Country: United Kingdom
 Timeline
Posted

Passwords will soon be obsolete. Biometrics is the way to go in the future.

That's incorrect.

Biometrics prove who you are.

Passwords are what you know.

A token or smart card is what you have.

Good security systems use at least two of the above (or all three) authentication methods.

biden_pinhead.jpgspace.gifrolling-stones-american-flag-tongue.jpgspace.gifinside-geico.jpg
JohnSmith2007 Proficient

JohnSmith2007   353

Posted
Filed: K-1 Visa Country: Lesotho
 Timeline
Posted

That's incorrect.

Biometrics prove who you are.

Passwords are what you know.

A token or smart card is what you have.

Good security systems use at least two of the above (or all three) authentication methods.

If you can prove to the system who you are then that is all that is necessary. The system knows what access to grant which people so all that is needed is to prove you are who you say you are.

mawilson Grand Master

mawilson   2,133

Posted
Filed: Country: United Kingdom
 Timeline
Posted

If you can prove to the system who you are then that is all that is necessary.

But you can't - no biometric identifier is 100% accurate. Out of the world population

of some 6 billion people there will be at least two persons with the same fingerprints

and iris scans. Identical twins have (almost) identical DNA.

A criminal might kidnap an authorized person, cut off their fingers or remove their

eyes to obtain the biometric. They might steal their access card or torture them to

get their password.

It's a lot harder if you need all three to gain access.

biden_pinhead.jpgspace.gifrolling-stones-american-flag-tongue.jpgspace.gifinside-geico.jpg
spookyturtle Grand Master

spookyturtle   9,466

Posted
Timeline
Posted

But you can't - no biometric identifier is 100% accurate. Out of the world population

of some 6 billion people there will be at least two persons with the same fingerprints

and iris scans. Identical twins have (almost) identical DNA.

A criminal might kidnap an authorized person, cut off their fingers or remove their

eyes to obtain the biometric. They might steal their access card or torture them to

get their password.

It's a lot harder if you need all three to gain access.

What if you were kidnapped, had your fingers cut off, eyeballs ripped out and were tortured into revealing your password?

R.I.P Spooky 2004-2015

mawilson Grand Master

mawilson   2,133

Posted
Filed: Country: United Kingdom
 Timeline
Posted

What if you were kidnapped, had your fingers cut off, eyeballs ripped out and were tortured into revealing your password?

Well if I knew they were going to cut my fingers off, rip my eyeballs out and probably

kill me anyway, I wouldn't give them the right password.

biden_pinhead.jpgspace.gifrolling-stones-american-flag-tongue.jpgspace.gifinside-geico.jpg
 

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
- Back to Top -

Important Disclaimer: Please read carefully the Visajourney.com Terms of Service. If you do not agree to the Terms of Service you should not access or view any page (including this page) on VisaJourney.com. Answers and comments provided on Visajourney.com Forums are general information, and are not intended to substitute for informed professional medical, psychiatric, psychological, tax, legal, investment, accounting, or other professional advice. Visajourney.com does not endorse, and expressly disclaims liability for any product, manufacturer, distributor, service or service provider mentioned or any opinion expressed in answers or comments. VisaJourney.com does not condone immigration fraud in any way, shape or manner. VisaJourney.com recommends that if any member or user knows directly of someone involved in fraudulent or illegal activity, that they report such activity directly to the Department of Homeland Security, Immigration and Customs Enforcement. You can contact ICE via email at Immigration.Reply@dhs.gov or you can telephone ICE at 1-866-347-2423. All reported threads/posts containing reference to immigration fraud or illegal activities will be removed from this board. If you feel that you have found inappropriate content, please let us know by contacting us here with a url link to that content. Thank you.
×
×
  • Create New...