AVSIG: Password Security....should you change it often? wwswsigarch.jpg (7236 bytes)

✈ . . . . . . ✈ . . . . . ✈ . . . . ✈ . . . ✈ . . ✈ . ✈ . . ✈ . . . ✈ . . . . ✈ . . . . . ✈ . . . . . . Touch-and-Go to our Live Forum (This is a Read-only Archive of the 2004-2017 AVSIG Forum)


AVSIG Discussion Sections >> Hardware/Software

Pages: 1 | 2 | 3 | 4 | 5 | >> (show all)
Ward Miller POU-NY
Top Gun


Reged: 05/05/04
Posts: 10508
Loc: New York
Password Security....should you change it often? [Re: Bob Dubner]
      #428793 - 08/04/16 06:27 PM

Bob, I've read countless horror stories about hackers getting around password
protected territory. Also common are the stories told to me, "a guy told a
friend of mine about . . ."

I've never personally known anyone who has had their data hacked. Malicious
crap screwing up the computer? It has happened to me and many people I know.
But data? Never.

I think the need for passwords, in general, is extremely over stated. And
the complexity of how some passwords must be formed is ridiculous, to the
extreme.


Post Extras: Print Post   Remind Me!   Notify Moderator  
Ray Tackett
Top Gun


Reged: 04/30/04
Posts: 8892
Loc: Philadelphia, USA
Password Security....should you change it often? [Re: Ward Miller POU-NY]
      #428817 - 08/05/16 04:26 AM

From your perspective, I mostly agree with you. My point was that there are
other valid perspectives.

For an extreme case, I worked for a short time (my choice about short) at
place which wrote medical practice management software. One component was
checking prescriptions for insurance and interactions and doctor shopping.

My employer's servers were trusted by the insurance clearing house, a joint
effort of several insurers. In turn, the company had to validate the
requests coming in from medical practices as legitimate before passing them
through.

I worked in a biometrically secured room where there was a Certificate
Authority machine. Those who don't know what I mean, refer to
https://en.wikipedia.org/wiki/Public_key_certificate and
https://en.wikipedia.org/wiki/Certificate_authority

I would generate and install a certificate on a specific customer machine
which had a fixed (not dynamic) IP address. It took the combination of the
IP address and the certificate which had been generated for that specific
machine which validated requests and permitted return data to be received.

In short, this went beyond password security. HIPAA is a powerful motivator
for data security.

--------------------
Ray,

Owner, Lake Wood Be Gone

Turning quality lumber into sawdust and noise since 2013.


Post Extras: Print Post   Remind Me!   Notify Moderator  
Bob Dubner
Super Imperial Member


Reged: 08/31/01
Posts: 4759
Loc: Extreme Upper West Side
Password Security....should you change it often? [Re: Ward Miller POU-NY]
      #428823 - 08/05/16 06:02 AM

Ward, I have another one for you.

A woman who lives in my building has been having trouble with somebody
targeting her. So, although for you this is still "I know a guy who knows a
guy..." for me it's a bit closer.

Specifically, the bad guy repeatedly tried and failed, intentionally, to log
into my friend's back account, doing it enough times that the system locked
out the account. The bad guy then called the bank by phone and successfully
impersonated my friend, getting the bank to reset the password to the bad
guy's choice. The bad guy then proceeded to siphon some money out.

Within a few hours, my friend figured out something was going on, and got the
bank to do a password reset.

The next day, the bad guy started over and did it *again*.

The bad guy is clearly a very accomplished practioner of "social engineering".

The damage was modest, because other evidence suggested that the bad guy
wasn't actually targeting my friend's bank account. She is a finance officer
for a building management company that keeps the operating accounts for a
dozen or so large residential buildings in that same bank. The bad guy was
apparently trying to leverage his way into those accounts, which have many
millions of dollars in them. Those accounts, by their nature, have
additional safeguards, and the bad guy wasn't able to get close to them.

Within the last year somebody hacked into my e-mail server's account at
panix.com; for about a week they were logging in as me and sending much
spam. Changing that password made that problem go away.

<shrug> The problems are real.

The formation rules can be, I agree, ridiculous, except when you consider
that something like one third of all passwords are, simply, the word
"password".

I do wish the heuristics were often more flexible. If I use as a password
the phrase "to be or not to be, that is the gezorninplat" the furshlurginer
system has absolutely *no* call to reject it on the grounds that there are no
capital letters in it.


Post Extras: Print Post   Remind Me!   Notify Moderator  
Terry Carraway
Top Gun


Reged: 06/02/04
Posts: 7098
Loc: Maryland
Re: Password Security....should you change it often? [Re: Bob Dubner]
      #428829 - 08/05/16 10:49 AM

Quote:

Ward,

I haven't checked lately. But a year or so ago, I saw a figure that stated
that if you bring up a computer on the internet, that is, where it gets
assigned an IP address directly, rather than an unroutable IP address on the
safe side of a firewall (a firewall is typically provided by a DSL or cable
"modem", which is almost certainly what you have at home) that brand new
computer with its brand new IP address starts getting hit by automated
attacks coming from all over the world within seconds.






Our first higher speed (than a modem) connection was ISDN. I do not remember why, but we connected without a router, but sharing the connection over a computer.

The first thing I did was start up BlackICE Defender. And within 1 - 2 seconds of getting the connection, the IP address was being hit MANY times.

And this was back in the early 90s.

--------------------
Terry
Mostly 0W3


Post Extras: Print Post   Remind Me!   Notify Moderator  
Ward Miller POU-NY
Top Gun


Reged: 05/05/04
Posts: 10508
Loc: New York
Password Security....should you change it often? [Re: Bob Dubner]
      #428830 - 08/05/16 10:53 AM

Yeah, I know there is a real need for passwords. It is just that the
satisfaction toward that need has gotten blown way out of the picture.


Post Extras: Print Post   Remind Me!   Notify Moderator  
Ward Miller POU-NY
Top Gun


Reged: 05/05/04
Posts: 10508
Loc: New York
Password Security....should you change it often? [Re: Ray Tackett]
      #428831 - 08/05/16 10:53 AM

Yep, I understand. As I told Bob, I think the password business has gotten
far afield from the original intent. Seems no one is asking, "Why are we
here?"


Post Extras: Print Post   Remind Me!   Notify Moderator  
Bob Dubner
Super Imperial Member


Reged: 08/31/01
Posts: 4759
Loc: Extreme Upper West Side
Password Security....should you change it often? [Re: Ward Miller POU-NY]
      #428841 - 08/05/16 03:42 PM

Ward, I don't disagree; the effort and attention paid to passwords is another
example of 1) Looking for your keys under the streetlight, because
that's where you can see, and/or 2) blaming the victim. In most cases the
effort involved isn't justified by the value of the information being secured.

But you don't want a successful attack on IDontCare.com to reduce your
security on StoreYourMoneyHere.com, either.

One main reason for using different passwords on different systems, and
changing them fairly frequently, is because so damned many servers are being
successfully hacked. So, if somebody breaks into IndifferentSecurity.com and
steals their password file, which in the worst case idiotically stores your
password in the clear, then they can start trying that password at
Amazon.com, EveryBank.com, and so on.

Even if the password itself isn't stored, but rather a cryptographic hash,
the Bad Guys have developed sophisticated means of figuring out whether that
hash is known to be associated with a password. If it is, then they can go
back to trying that password elsewhere.

As the arms race continues, the standard means of dealing with that problem
is to concatenate a 128-bit (or more) strong random number called a "salt"
with your password before generating the hash; the salt gets stored along
with your username and the final hash for verifying your password in the
future.

But, basically, *you* have to keep changing your password because *their*
security can't be completely trusted.


Post Extras: Print Post   Remind Me!   Notify Moderator  
Ward Miller POU-NY
Top Gun


Reged: 05/05/04
Posts: 10508
Loc: New York
Password Security....should you change it often? [Re: Bob Dubner]
      #428850 - 08/05/16 06:19 PM

Bob, what is the reason for changing a password frequently?

If the bad guy doesn't crack it this week, does it mean as the p/w ages it
becomes more likely to be broken? Or does he crack half of it this week and
the other half next week? I don't think so.

And why must I include Upper Case and Numerals at one site, yet not at
another? Can it be proved the latter site is less secure?


Post Extras: Print Post   Remind Me!   Notify Moderator  
Russell Holton
AVSIG Member


Reged: 07/07/05
Posts: 14136
Re: Password Security....should you change it often? [Re: Ward Miller POU-NY]
      #428851 - 08/05/16 06:37 PM

Quote:

Can it be proved the latter site is less secure?



Yes. If it's known the password is all lower case letters, it take fewer combinations to go though every possible combination. It would also discourage the trivially simple passwords (like "password") that's often the starting point for any attack on the password file.

If the password must be 8 characters, lower-case only would be 26^8 or 208,827,064,576 combinations. (Or we can simplify that by using a dictionary attack under the theory it's a single word. That would be somewhere in the tens of thousands of combinations.) But require one upper, one lower and one number and we're talking 62^8 or 218,340,105,584,896 - about 1045 times more complex.


Post Extras: Print Post   Remind Me!   Notify Moderator  
Nancy Zeitlin [HPN]
AVSIG Member


Reged: 04/29/04
Posts: 2728
Loc: KHPN
Re: Password Security....should you change it often? [Re: Russell Holton]
      #428863 - 08/05/16 09:11 PM

RH> It would also discourage the trivially simple passwords (like "password") that's often the starting point for any attack on the password file.

I'm encountering an increasing number of sites doing their own dictionary lookup on submitted passwords and rejecting them if in their list...


Post Extras: Print Post   Remind Me!   Notify Moderator  
Pages: 1 | 2 | 3 | 4 | 5 | >> (show all)



Extra information
0 registered and 88 anonymous users are browsing this forum.

Moderator:  Mike Overly 

Print Topic

Forum Permissions
      You cannot start new topics
      You cannot reply to topics
      HTML is disabled
      UBBCode is enabled

Rating:
Topic views: 7117

Rate this topic

Jump to

Contact Us AVSIG

Powered by UBB.threads™ 6.5.5

Logout   Main Index    AVSIG Aviation Forum