Comments on: Is our entire password strategy flawed?

By: David 天宇 Wong

David 天宇 Wong — Tue, 18 Nov 2014 03:49:30 +0000

I can't seem to edit my answer. I wanted to add two things, when I talk about a password manager I'm talking about something like 1Password. I also wanted to add that I don't do what I just said because I'm lazy.

By: David 天宇 Wong

David 天宇 Wong — Tue, 18 Nov 2014 03:42:40 +0000

password manager

To me this is a big no no, you’re relying on only one password, the one you’re using to unlock your password manager. If this password would come to leak then all your passwords would be compromised.

A good solution would be to: * use a password manager (that does all the work for you) for websites you don’t really care. * use passwords you memorise for websites you care about (You could hash the name of the website in your head to make a password with what one of the Blum proposed (http://www.scilogs.com/hlf/mental-cryptography-and-good-passwords/)) * use multi-factor auth (I like the yubikey) for critical websites.

By: Chris Murray

Chris Murray — Fri, 15 Aug 2014 10:51:48 +0000

Surely your proposal of a password black list will also have diminishing returns. It won't force users to use stronger passwords, it'll force them to find ways around the black list.

Further, with new breaches happening all the time, the black list will continue to grow, presumably for ever until all possible passwords are no longer valid.

By: Orr

Orr — Tue, 05 Aug 2014 14:17:51 +0000

There's a technology that also presents to user like single sign-on, but technically is a hardware device combined with a password manager.

This combination frees a user from the need to pick strong passwords. It is also safer than just having password manager, because a hardware device plays a second factor. At the same time if the device is lost - no problem, it can be revoked and the credential data is safe.

Hardware devices come in deveral different types. Some just store master password, some are basic OTP tokens, others store your credentials encrypted in the cloud, so you can never really lose them. I think the latter is the best option provided that credentials are encrypted and handled wisely.

There's one more important point which is often forgotten: not only users should care about login security. Websites' task is even harder. And you're right - user can never know for sure that the website is reliable. The suffering can be mitigated if websites make more use of 3rd party secure login or OpenID technologies. Most work about storing credentials could be done by a reliable authentication provider.

There is a technology called WWPass that combines safe password handling, hardware device and added security on the sebsite side. I guess this is a technology to keep an eye on, it is potentially game-changing.

By: roryalsop

roryalsop — Mon, 23 Jun 2014 16:24:46 +0000

This comment isn't really relevant. We already know current complexity rules breed weaker passwords (as discussed on xkcd etc)

By: SILENT

SILENT — Sat, 21 Jun 2014 16:01:25 +0000

I believe we need an ISO standard interface established between Password Managers and Websites. You would have one strong password for the password manager (from whatever company(ies) that create the app(s)). The password manager will automatically change/update passwords based on whatever new security protocols available.

By: jww

jww — Fri, 20 Jun 2014 16:04:19 +0000

"A problem we have though is that banks tell customers never to write down passwords" - yeah, banks are a real shining light. Are they the same banks using HTML5/CSS/Javascript with the web security model? Or the picture as the second authentication factor?

The threat is unauthorized network access and facilitated by weak, memorable passwords. Writing down my password and then losing my wallet or desk drawer is down at the bottom of the list. Hell, even password reuse is a greater threat.

By: jww

jww — Fri, 20 Jun 2014 15:55:54 +0000

Could you define "password strength policy"? Does it include complexity and rotation requirements? If so, complexity and rotation requirements do not work. Complexity does not work because the bad guys know what to try from all the past data breaches (they are wise to 'Password1' and friends), and passwords like 'Password1' meet NIST complexity requirements. You get diminishing returns on password rotation, so passwords effectively get weaker over time. You would do better with a password black list based on word lists and past breaches to rule out what the bad guys will try. Multi-million entry password lists can be encoded into Bloom Filter under 50KB or so. Its not even a large footprint.