Discussion on:
View:
Show:
What other security mistakes do you see people making far too often -- mistakes that are so basic and obvious they should never have been made in the first place?
... containing sensitive info is definitely the most rampant. I see it all the time, even from people who create software products that include security features. They should know better.
If you encrypt the email, how do you get around the problem of sending the decryption key to the recipient? It would be great if we all had public-key systems set up, but most people don't, and don't have the expertise to set them up.
So we come down to voice telephone and the postal service. And what makes you think they are secure?
So we come down to voice telephone and the postal service. And what makes you think they are secure?
"If you encrypt the email, how do you get around the problem of sending the decryption key to the recipient? It would be great if we all had public-key systems set up, but most people don't, and don't have the expertise to set them up."
Encryption is important enough to be worth the effort.
The answer is to make encryption more popular.
Encryption is important enough to be worth the effort.
The answer is to make encryption more popular.
I have brought this up before but the director of one of our divisions said that I should not question their tactics because their staff know more about HIPPAA than I ever will. Ha, obviously not.
Yes, they exist. In the drawer. On the monitor. On the desk.
Everytime I see one, I destroy one and lock the user out of the network and wait for them to call first level support and get briefed on security policy.
Everytime I see one, I destroy one and lock the user out of the network and wait for them to call first level support and get briefed on security policy.
this is clear evidence that your password security system has failed. Do not blame or punish the poor user, it is not his or her fault. The fault is with stupid, thoughtless policies enacted by management.
In my previous company, we had impossibly complicated passwords (8 or more characters alpha numeric passwords, that kept changing every 3 months). Not only that, we had at least 25 different passwords to "remember" at any one time, in order to access necessary resources such as the intranet, salesforce.com, certain company databases, e-trade, etc, etc. Not surprisingly, most employees (and me among them, although I know better)used post it notes or other low tech means to "remember" all these crazy passwords. Given this situation, why would you punish the poor user, unless you are a sadist who enjoys exercising the little power you have over the user?
Place the blame where it really belongs, on ridiculous management policies that frustrate good employees and do not let people access the systems they need to do their work, and confront the management idiots that think these draconian passwords are a great idea.
BTW, employees do not take kindly to people like you that add to their frustration - did you ever wonder why IT is so busy responding to "unnecessary" calls, that have you running all the time and cause you to feel superior and complain about the "stupid users"? Employees strike back in the only way they can......
In my previous company, we had impossibly complicated passwords (8 or more characters alpha numeric passwords, that kept changing every 3 months). Not only that, we had at least 25 different passwords to "remember" at any one time, in order to access necessary resources such as the intranet, salesforce.com, certain company databases, e-trade, etc, etc. Not surprisingly, most employees (and me among them, although I know better)used post it notes or other low tech means to "remember" all these crazy passwords. Given this situation, why would you punish the poor user, unless you are a sadist who enjoys exercising the little power you have over the user?
Place the blame where it really belongs, on ridiculous management policies that frustrate good employees and do not let people access the systems they need to do their work, and confront the management idiots that think these draconian passwords are a great idea.
BTW, employees do not take kindly to people like you that add to their frustration - did you ever wonder why IT is so busy responding to "unnecessary" calls, that have you running all the time and cause you to feel superior and complain about the "stupid users"? Employees strike back in the only way they can......
.. then that is a failure of the password policy because users make no effort to remember them?
As someone who has eight or more chracter alphanumeric passwords; you get used to memorizing them. My new password takes a day to memorize through normaly working tasks. I do have twenty-five or more passwords mostly in the twenty random character range. For those, I use a password manager. I remember my complicated passphrase for that tool and after that, I have the library of accounts and authentications right there.
I think keys are far too comlicated. I have to remember a car key, a seporate key for my house.. a bike lock key.. a mail box key.. This is madness. And they are all so complicated too. I say we have one key that fit to the same lock barrel on all these different thinks in one's life. And, no more than four dropper teeth per lock barrel because that means the keys take up less space in my pocket. Heck, we should al just leave our key in the front door because forgetting the keys in the house somewhere is really a failing of the use of locking mechanisms.
I don't fully disagree; there are insane password requirnments out there that go beyond providing good security without adding value. The thing is that a brute force on a password of 15 characters takes no time at all these days though. Heck, winXP or anything previous gives up it's user account passwords in under fifteen minutes.
To keep the discussion productive though, what would you recommend in replacement of passwords? Flashkey hosted certificates means users having to carry a seporate bit of hardware and you'll still want secondary authentication by finger print scanner or similar which means further hardware costs to replace all those notbooks without scanners or include add-on scanners.
As someone who has eight or more chracter alphanumeric passwords; you get used to memorizing them. My new password takes a day to memorize through normaly working tasks. I do have twenty-five or more passwords mostly in the twenty random character range. For those, I use a password manager. I remember my complicated passphrase for that tool and after that, I have the library of accounts and authentications right there.
I think keys are far too comlicated. I have to remember a car key, a seporate key for my house.. a bike lock key.. a mail box key.. This is madness. And they are all so complicated too. I say we have one key that fit to the same lock barrel on all these different thinks in one's life. And, no more than four dropper teeth per lock barrel because that means the keys take up less space in my pocket. Heck, we should al just leave our key in the front door because forgetting the keys in the house somewhere is really a failing of the use of locking mechanisms.
I don't fully disagree; there are insane password requirnments out there that go beyond providing good security without adding value. The thing is that a brute force on a password of 15 characters takes no time at all these days though. Heck, winXP or anything previous gives up it's user account passwords in under fifteen minutes.
To keep the discussion productive though, what would you recommend in replacement of passwords? Flashkey hosted certificates means users having to carry a seporate bit of hardware and you'll still want secondary authentication by finger print scanner or similar which means further hardware costs to replace all those notbooks without scanners or include add-on scanners.
RE: #1 - with every site requiring passwords even to post
comments, I don't consider most passwords to be 'sensitive'
data.
RE: #2 -what law requires you to provide your real mother's
maiden name, city of birth etc for those requests?. I know
that most people instinctively answer honestly; I found it
easier to craft an alternate identity for that purpose.
comments, I don't consider most passwords to be 'sensitive'
data.
RE: #2 -what law requires you to provide your real mother's
maiden name, city of birth etc for those requests?. I know
that most people instinctively answer honestly; I found it
easier to craft an alternate identity for that purpose.
People were least bother about the fact and basics..! Its just irresponsibility..!!
Mick..!!
.
imprinted lanyards | best imprinted lanyards
Mick..!!
.
imprinted lanyards | best imprinted lanyards
It is amazing how many times we are approached to outsource our security.
Sure, they probably have better tools and more knowledge about security, but that doesn't mean you hand it over to an outside source.
Oh, and just because someone has a nametag and a clipboard, does NOT mean you let them into your server room.
Last, I get sales calls all the time, and they ask me what we are using for a firewall. ??????? Sorry, I don't give that information out to ANYONE. If you know the firewall, you know what exploits to look for.
Sure, they probably have better tools and more knowledge about security, but that doesn't mean you hand it over to an outside source.
Oh, and just because someone has a nametag and a clipboard, does NOT mean you let them into your server room.
Last, I get sales calls all the time, and they ask me what we are using for a firewall. ??????? Sorry, I don't give that information out to ANYONE. If you know the firewall, you know what exploits to look for.
"Last, I get sales calls all the time, and they ask me what we are using for a firewall. ??????? Sorry, I don't give that information out to ANYONE. If you know the firewall, you know what exploits to look for. "
Are you sure you are'nt a victim of Point 7?
Are you sure you are'nt a victim of Point 7?
Just because you don't rely on secrecy doesn't mean you should willingly hand over any information to anyone without a need to know.
If you don't have a reason to give out some information, don't give it out.
You only run afoul of Kerckhoffs' Principle when you have a reason to make some information about your policies in place known, but try to keep it secret because you think doing so will improve security, or when you expend a bunch of resources trying to keep policy information secret when you could be directing those resources elsewhere.
One doesn't have to actively advertise one's technology choices to avoid running afoul of Kerckhoffs' Principle -- particularly in cases where you may not presently have a way to benefit from peer review.
You only run afoul of Kerckhoffs' Principle when you have a reason to make some information about your policies in place known, but try to keep it secret because you think doing so will improve security, or when you expend a bunch of resources trying to keep policy information secret when you could be directing those resources elsewhere.
One doesn't have to actively advertise one's technology choices to avoid running afoul of Kerckhoffs' Principle -- particularly in cases where you may not presently have a way to benefit from peer review.
Dear Sir / Madam,
Hi, this is too important to forget as an Sys. Administrator, is an opinion of mine so far.
This is quite excellent and deserves a bravo !!
With thanks & regards,
Swapan.
Hi, this is too important to forget as an Sys. Administrator, is an opinion of mine so far.
This is quite excellent and deserves a bravo !!
With thanks & regards,
Swapan.
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
