Skip to main content
https://nakedsecurity.sophos.com/2015/09/15/who-gives-the-best-advice-about-password-security

https://www.gov.uk/government/uploads/system/uploads/attachment_data/file/458857/Password_guidance_-_simplifying_your_approach.pdf

What to do about password security?
• Get into two-factor authentication!
• Don't hand out administrative accounts willy-nilly!
• Watch out for default passwords!
• Be strict about outsourced security - as strict as your own!
Salt-hash-and-stretch your customers' passwords!
• Go complex: no nicknames, no birthdays, no quotations, no pets!
• Throw out that "forced password reset every 30 days" policy!
As you can see from the links above, "We told you so."
In fact, the very first podcast in our popular Techknow series, recorded more than three years ago, was all about Busting Password Myths.
LISTEN NOW
(Audio player above not working? Download MP3 or listen on Soundcloud.)
In the podcast, we very specifically urge you not to change passwords routinely when it isn't necessary, on the grounds that it gets people into what fellow Naked Security writer Chester Wisniewski calls "the habit of a bad habit."
→ Users typically settle on a simple password root and append something they change slightly each month, like a number they increment. For all you know, the last two digits of their passwords can be computed from how many months they've had their jobs.
So it's fantastic to see all of those points endorsed, in a very calm and well-written document, by none other than GCHQ, Britain's very own Signals Intelligence (SIGINT) service.
They agree with us, and we with them!
We heartily recommend GCHQ's new document.
At 13 pages, it might sound as though it's too long to qualify for its title Simplifying Your Approach - Password Guidance.
However, the pages are very readably laid out, aren't dense with text, and can be consulted one-by-one as a series of tips.
Better yet, they help you understand why the tips have been structured as they have.
Password "rules" that exist for no better reason than that they existed in the past simply are exactly what we argue against in the abovementioned Techknow podcast.
Don't go to the trouble of storing passwords as salted-and-stretched hashes because we say so.
Do it because you realise why it's a bad idea for everyone if you don't!
Oh, before we go, and to give credit where it's due: the document isn't just the work of GCHQ, but a joint effort with the UK's Centre for the Protection of National Infrastructure (CPNI).
It's great to see computer security for everyone – home users and small businesses, as much as government ministries and multinational corporations – treated as though we are all part of the nation's IT infrastructure, because we are.
If you are still living in a world in which you think that cybercrooks "won't be interested in little old you", bear in mind that recent security research by Fujitsu uncovered an email "hitlist" of potential victims, maintained by Russian criminals...
...with more than a third of a billion names on it!

Comments

Popular posts from this blog

The Difference Between LEGO MINDSTORMS EV3 Home Edition (#31313) and LEGO MINDSTORMS Education EV3 (#45544)

http://robotsquare.com/2013/11/25/difference-between-ev3-home-edition-and-education-ev3/ This article covers the difference between the LEGO MINDSTORMS EV3 Home Edition and LEGO MINDSTORMS Education EV3 products. Other articles in the ‘difference between’ series: * The difference and compatibility between EV3 and NXT ( link ) * The difference between NXT Home Edition and NXT Education products ( link ) One robotics platform, two targets The LEGO MINDSTORMS EV3 robotics platform has been developed for two different target audiences. We have home users (children and hobbyists) and educational users (students and teachers). LEGO has designed a base set for each group, as well as several add on sets. There isn’t a clear line between home users and educational users, though. It’s fine to use the Education set at home, and it’s fine to use the Home Edition set at school. This article aims to clarify the differences between the two product lines so you can decide which...

Let’s ban PowerPoint in lectures – it makes students more stupid and professors more boring

https://theconversation.com/lets-ban-powerpoint-in-lectures-it-makes-students-more-stupid-and-professors-more-boring-36183 Reading bullet points off a screen doesn't teach anyone anything. Author Bent Meier Sørensen Professor in Philosophy and Business at Copenhagen Business School Disclosure Statement Bent Meier Sørensen does not work for, consult to, own shares in or receive funding from any company or organisation that would benefit from this article, and has no relevant affiliations. The Conversation is funded by CSIRO, Melbourne, Monash, RMIT, UTS, UWA, ACU, ANU, ASB, Baker IDI, Canberra, CDU, Curtin, Deakin, ECU, Flinders, Griffith, the Harry Perkins Institute, JCU, La Trobe, Massey, Murdoch, Newcastle, UQ, QUT, SAHMRI, Swinburne, Sydney, UNDA, UNE, UniSA, UNSW, USC, USQ, UTAS, UWS, VU and Wollongong. ...

Logic Analyzer with STM32 Boards

https://sysprogs.com/w/how-we-turned-8-popular-stm32-boards-into-powerful-logic-analyzers/ How We Turned 8 Popular STM32 Boards into Powerful Logic Analyzers March 23, 2017 Ivan Shcherbakov The idea of making a “soft logic analyzer” that will run on top of popular prototyping boards has been crossing my mind since we first got acquainted with the STM32 Discovery and Nucleo boards. The STM32 GPIO is blazingly fast and the built-in DMA controller looks powerful enough to handle high bandwidths. So having that in mind, we spent several months perfecting both software and firmware side and here is what we got in the end. Capturing the signals The main challenge when using a microcontroller like STM32 as a core of a logic analyzer is dealing with sampling irregularities. Unlike FPGA-based analyzers, the microcontroller has to share the same resources to load instructions from memory, read/write th...