That's some password security, man!

seashore said:
As with previous discussions, looks like I'm still safe with thisismyverysafeunguessablepassword so I'll keep using it for all my stuff. Thanks.
Click to expand...

This-Is-My-Very-Safe-Unguessable-Password1

Is actually... really... REALLY... good. That's well beyond what you need to secure a password vault. And, notably is exactly the sort of thing I use for my vault, which generates the gibberish for everything else.

One password to rule them all!

My vault vendor takes a hit like LastPass did? Who CAREs! That blasted key is holding for CENTURIES at least. Quantum computing may change that... but I'll have rotated everything out by then. And hopefully we get to token based authentication before too much longer, passkey helps a great deal but we've got to get everyone onboard.
 
Well, looking at the lower of the figures in the charts, if 18 lower case letters takes 481k years to crack I guess I'll be ok with my 35 letters.
 
  • Haha
Reactions: GTP
SAFCasper said:
it has wildly different results
Click to expand...

Yes, but those results still indicate where effective password security lies.

I'm not gonna get bent out of shape if my 12-character password takes 226 years to brute force hack.

Again, no one is going to expend that amount of time and resources. Cyber crime, like all crime, has to be able to occur quickly enough, and furtively enough, to be profitable.

Let's get real here about how much time anyone, including the most nefarious of nefarious actors, has to spend in pursuit of anything.
 
Sky-Knight said:
And hopefully we get to token based authentication before too much longer, passkey helps a great deal but we've got to get everyone onboard.
Click to expand...

I'm going to go out on a limb here and officially predict: The very last industry (at least in the US) to adopt modern authentication methodology will be.......finance. You know WHERE WE ALL KEEP OUR MONEY. It boils my blood that the thing that most of us would rank #1 in importance is where they are still mired in 30 year old technology. Gaah!
 
  • Like
Reactions: GTP
HCHTech said:
I'm going to go out on a limb here and officially predict: The very last industry (at least in the US) to adopt modern authentication methodology will be.......finance. You know WHERE WE ALL KEEP OUR MONEY. It boils my blood that the thing that most of us would rank #1 in importance is where they are still mired in 30 year old technology. Gaah!
Click to expand...
Oh... that avalanche is already started.

You see the reason the finance people don't move is because it doesn't cost them anything to stay. They have underwritten all their risks with various layers of insurance. Insurance that is NOW REQUIRING MFA. So the bank now must assume the financial risk of breach themselves...

I've got an OP on the table right now for a bank because of it. MFA for server logins, MFA for VPN connections. They aren't moving onto their customer logins quite yet, but it's in the works.

I've got another OP on the table... for Bluetooth. Yeah... that crap still knocks me over when I see it. But they're going to lose their cyber insurance because they cannot enforce the use of MFA for LOCAL LOGINS TO SERVERS FROM ADMIN STAFF.

Just use Duo right? Well... it's garbage for one, but yes it does "tick the box" only problem? This monster org still has 2k8 and 2k12 servers in play, which Duo no longer supports...

I just dropped the report on the steering committee's desk, their "hail Mary" isn't going to fly, and they now HAVE TO retire that old crap. Which is starting an avalanche of investment.

I've never had more work as a security focused engineer that does infrastructure. The issue has always been, funding. And I do indeed get told no A LOT. But I've also been watching something new happen... organizations going out of business because they were hit, and when my phone rings I provide the insurance company a report that not only removes my organization from the legal situation but utterly destroys the leadership of the organization hacked. Yes, I lose the customer. But that "leader" loses so much more.

The movement is there, the improvements are happening, they just aren't happening fast enough, and they're two decades behind at least. But positive pressure is a better situation than we've had before!
 
AngelHess said:
password madness
Click to expand...

I posted the following in the Humor Section not long ago, but it's so close to true it makes one cry as much as laugh. My partner bought me the T-shirt that carries the following on the front:

1722192375433.jpeg

There actually does exist a "happy medium" that gives enough security for all practical intents and purposes and does not tip over into the ludicrous. There have been many predictions in the computing industry over the years about "the death of the {insert thing here}" but none so frequent as the prediction, repeatedly proven wrong, of "the death of the password."

I'll be dead (I'm just over 60) long before the password is. It will remain a basic for a very, very long time to come because it is the one and only thing that can be (not is, as we all know) reliably carried around in one's head and will (or can, depending on what security you've chosen as far as MFA or not) work when all else fails.

The problem we've created for ourselves in the industry comes directly from the kinds of password managers (see: web browsers) that auto-fill for you and the checkboxes offered all over the place for "stay logged in" that keep people logged in pretty much perpetually. When you combine that with email clients where the password is entered at account setup and virtually never required again afterward, you have a situation where people are just plain cavalier about the need to know passwords. It's a "use it or lose it" proposition, which I can attest to myself. Since Microsoft made PINs non-optional, I have tended to use a PIN to log in to Windows because even if you switch to password login, that only applies that one time, and the next time it auto-switches back to PIN. I could "rattle off my password from my fingertips" much more easily, reliably, and rapidly when it was my primary way of gaining access.
 
You must log in or register to reply here.

Similar threads

thecomputerguy
Further challenged by a client I politely tried to fire.
Replies
3
Views
4K
britechguy
britechguy
Kitten Kong
Hirens 13 - Now released
2
Replies
31
Views
17K
eloria
E
Kitten Kong
  • Sticky
Questions and Answers relating to Microsoft Licencing Guidelines.
Replies
3
Views
12K
Rosco
Rosco
T
A good Software List..must see!!
Replies
11
Views
7K
nesrinamb
N
Back
Top