Skip to main content
https://nakedsecurity.sophos.com/2015/09/15/who-gives-the-best-advice-about-password-security

https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/458857/Password_guidance_-_simplifying_your_approach.pdf

What to do about password security?
• Get into two-factor authentication!
• Don't hand out administrative accounts willy-nilly!
• Watch out for default passwords!
• Be strict about outsourced security - as strict as your own!
Salt-hash-and-stretch your customers' passwords!
• Go complex: no nicknames, no birthdays, no quotations, no pets!
• Throw out that "forced password reset every 30 days" policy!
As you can see from the links above, "We told you so."
In fact, the very first podcast in our popular Techknow series, recorded more than three years ago, was all about Busting Password Myths.
LISTEN NOW
(Audio player above not working? Download MP3 or listen on Soundcloud.)
In the podcast, we very specifically urge you not to change passwords routinely when it isn't necessary, on the grounds that it gets people into what fellow Naked Security writer Chester Wisniewski calls "the habit of a bad habit."
→ Users typically settle on a simple password root and append something they change slightly each month, like a number they increment. For all you know, the last two digits of their passwords can be computed from how many months they've had their jobs.
So it's fantastic to see all of those points endorsed, in a very calm and well-written document, by none other than GCHQ, Britain's very own Signals Intelligence (SIGINT) service.
They agree with us, and we with them!
We heartily recommend GCHQ's new document.
At 13 pages, it might sound as though it's too long to qualify for its title Simplifying Your Approach - Password Guidance.
However, the pages are very readably laid out, aren't dense with text, and can be consulted one-by-one as a series of tips.
Better yet, they help you understand why the tips have been structured as they have.
Password "rules" that exist for no better reason than that they existed in the past simply are exactly what we argue against in the abovementioned Techknow podcast.
Don't go to the trouble of storing passwords as salted-and-stretched hashes because we say so.
Do it because you realise why it's a bad idea for everyone if you don't!
Oh, before we go, and to give credit where it's due: the document isn't just the work of GCHQ, but a joint effort with the UK's Centre for the Protection of National Infrastructure (CPNI).
It's great to see computer security for everyone – home users and small businesses, as much as government ministries and multinational corporations – treated as though we are all part of the nation's IT infrastructure, because we are.
If you are still living in a world in which you think that cybercrooks "won't be interested in little old you", bear in mind that recent security research by Fujitsu uncovered an email "hitlist" of potential victims, maintained by Russian criminals...
...with more than a third of a billion names on it!

Comments

Popular posts from this blog

Logic Analyzer with STM32 Boards

https://sysprogs.com/w/how-we-turned-8-popular-stm32-boards-into-powerful-logic-analyzers/ How We Turned 8 Popular STM32 Boards into Powerful Logic Analyzers March 23, 2017 Ivan Shcherbakov The idea of making a “soft logic analyzer” that will run on top of popular prototyping boards has been crossing my mind since we first got acquainted with the STM32 Discovery and Nucleo boards. The STM32 GPIO is blazingly fast and the built-in DMA controller looks powerful enough to handle high bandwidths. So having that in mind, we spent several months perfecting both software and firmware side and here is what we got in the end. Capturing the signals The main challenge when using a microcontroller like STM32 as a core of a logic analyzer is dealing with sampling irregularities. Unlike FPGA-based analyzers, the microcontroller has to share the same resources to load instructions from memory, read/write th...

The Difference Between LEGO MINDSTORMS EV3 Home Edition (#31313) and LEGO MINDSTORMS Education EV3 (#45544)

http://robotsquare.com/2013/11/25/difference-between-ev3-home-edition-and-education-ev3/ This article covers the difference between the LEGO MINDSTORMS EV3 Home Edition and LEGO MINDSTORMS Education EV3 products. Other articles in the ‘difference between’ series: * The difference and compatibility between EV3 and NXT ( link ) * The difference between NXT Home Edition and NXT Education products ( link ) One robotics platform, two targets The LEGO MINDSTORMS EV3 robotics platform has been developed for two different target audiences. We have home users (children and hobbyists) and educational users (students and teachers). LEGO has designed a base set for each group, as well as several add on sets. There isn’t a clear line between home users and educational users, though. It’s fine to use the Education set at home, and it’s fine to use the Home Edition set at school. This article aims to clarify the differences between the two product lines so you can decide which...

Building a portable GSM BTS using the Nuand bladeRF, Raspberry Pi and YateBTS (The Definitive and Step by Step Guide)

https://blog.strcpy.info/2016/04/21/building-a-portable-gsm-bts-using-bladerf-raspberry-and-yatebts-the-definitive-guide/ Building a portable GSM BTS using the Nuand bladeRF, Raspberry Pi and YateBTS (The Definitive and Step by Step Guide) I was always amazed when I read articles published by some hackers related to GSM technology. H owever , playing with GSM technologies was not cheap until the arrival of Software Defined Radios (SDRs), besides not being something easy to be implemented. A fter reading various articles related to GSM BTS, I noticed that there were a lot of inconsistent and or incomplete information related to the topic. From this, I decided to write this article, detailing and describing step by step the building process of a portable and operational GSM BTS. Before starting with the “hands on”, I would like to thank all the pioneering Hackers and Researchers who started the studies related to previously closed GSM technology. In part...