Discussion on:

10 security mistakes that are easily avoided

You forgot the most easily avoided ones of all.

Don't click on links in email.

Don't give out sensitive information to people over the phone or via email.

Email links should be up near number 1, as for sensitive information that should stand for both employees and IT staff.

Email links... not sure how I missed that one, but they're just nasty. For what it's worth, consider it "Number 0" on the list now that it's in the comments

Scott

Is this an absolute rule? What if you can see the entire address path when you hover over it, and can see the path is as shown in the message?
The reason I ask, is I am trying to not send so many attachments to clients and directing them to my website to access presentations and such. I use the entire http://... address. Any ideas and tips would be helpful.

An excellent way to share presentations or large files is to use DropBox from dropbox.com. This application allows you to share files in the cloud with any client that you wish. You can setup separate folders for each client so they only have access to what you want them to see. The first two 2 GB are free and then you need to subscribe.

Passwords are more important than ever before, but for users trying to keep ahead of technology in this area seems like being on the losing end of an arms race. The reason is, hackers are using more sopisticated methods to obtain access to your data. It's only a matter of time until the use of random characters or phrases in passwords will be broken. In response, organizations try and implement yet even more strict password requirements.
Why not have the computer(s) identify the person that's using it? I'm not talking about fingerprints, but a more robust biometric system that looks at a number of personal attributes to identify the user. DARPA is trying to figure out how computers can adapt to users, rather than users to computers in this case (National Defense Digital - 2012).
Until the day arrives where computers can identify their users, the password arms race will continue.

Thomas

Changing passwords often serves no purpose, especially if users already adhere to #1. Having strong passwords eliminates the need and worry of changing passwords that folks need to retrain themselves to remember. If the passwords are strong enough, there is no worry of them being cracked. So educate users to create strong passwords and even "padding" them, will not only make them strong, but make them easy to remember. For ex.

!@##EW(S(!!H898%R$ is not as strong as
D0g...........................................................

See https://www.grc.com/haystack.htm

Sigh, I wish this "mantra" of changing passwords often policy would just die already.

Philip

It's just a matter of how long it takes and if the hacker gives up at some point to move on to easier targets. Someone could have their password cracked and not know about it for awhile. At the very least, changing passwords will clean up the compromised passwords.

Only WEAK ones..If it was implemented at the onset that compliance was to use strong 16-20 alphanumeric and special symbol passwords, and employees aren't sharing them, writing them down on post-it notes there is no reason to change that strong password. It would take a hacker hundreds of years to brute-force a cryptographically strong 20 character password, even with a highly sophisticated offline GPU gate-array. If the crypto is done right, there's no need to worry. Only case that I can see worth changing an employer/employee's password would be if they left, resigned, or were terminated.

All you password change junkies....why? Why does it make better security. As Phillip points out, you WILL have instances where users will change a strong password to a weaker one. And most people end up keeping the same password but change the number or capitalize a different letter. Duh.

Let's stop the madness. STOP changing passwords often. Start teaching users how to build STRONG passwords.

however, there is a real need to either change passwords on a reasonably regular basis or have different passwords for different purposes.

The main reason security people tell you to change passwords on a regular basis is because most people will use the same password for just about everything; and once a password gets compromised in one location it's compromised all over. Another way around that is to have a set of very different passwords that you remember and use them for different levels of security needed for the site. For example, the password security needed to access a site where you have read only access, such as an on-line story site, you don't need high security; while password security for your on-line banking site does need to be very high security. If you have four or five and split their usage up based on the needed security level the chances of being compromised on the high level passwords are very low and it doesn't matter that much about the low level ones.

Another way is to have a different password for each log on you have, but this will soon have you going crazy trying to remember them or you end up making them too easy in order to make the easy to align with each log on / site.

Even using one or both of the above, you should still change them every now and then, but you can make the changes an annual or multi year event instead of a monthly one.

The biggest password security issue is when people resort to writing them down in order to be sure they have them right. Next after that is when they get disgruntled due to some security guy insisting they change each month so the password is made up of abusive phrases, and thus often easy to break.

Do a search on "passing the hash" and let me know if that changes your mind. Often times corporate security policies have people change their passwords not because they could be cracked, but because changing passwords will cause problems if a person's hash has been stolen. It limits the amount of time that an attacker has unrestricted access with those credentials.

Bill

as the underlying assumption of encryption on the part of the service provider. If someone in Internet land is storing passwords in an unsecure fashion then a backend harvest will net them your password no matter how strong it is. In those cases about the only thing you have control of on the front end is password rotation frequency/differentiation.

Otherwise I agree completely with what you are saying, esp wrt padding. Make a password rule too complex and you can usually find it on a post-it-note.

There is absolutely no reason to say that changing passwords often serves no purpose. If you go with that mindset in any IT field, you're screwed. That type of thing is exactly what a hacker is going to expect.

Regardless of what kind of environment you work in, a specific schedule should be followed, as far as changing your password is concerned, regardless of how strong it is

Take a look at this comic strip from XKCD. Http://xkcd.com/936/ It makes a lot of sense to make easy to remember but hard to guess passwords.

to change passwords if they are strong enough and easy to remember, goes unnoticed.. So once again, yes, there IS certainly a reason: Users will try everything to keep getting back to the password they took so long to memorize anyway, and in case you weren't listening, if the password is strong enough, there's no need to change it periodically, if at all. so no, I'm not screwed, and yes, it serves NO meaningful purpose; those who continue to adhere to a useless policy (obviously like yourself) only to create even MORE work, are screwed. But keep perpetuating the "mantra" by all means, especially when you posit no evidence as to why your argument is even valid.

Serves no purpose, unless an employee is fired or resigns. That's all

The ORIGINAL reason to change passwords often was to correct admin mistakes of not removing old users (ex-employees). ALSO....remember the movie War Games w/M. Broaderick....they used a shared password. So changing the password every so often protected them when users became ex-users.

Point is....we don't need to do this anymore. Our security has evolved into a sophisticated system where it is easy to remove employees from the user profile.

IMHO....changing passwords is another excuse by systems admins to justify their jobs. Lame.

What if an employee works for a company for 5 years, on day 1, they create an uber secure password and they never change it. Through any number of different methods (crack the DB, social engineering, malware, lucky guess, extortion, etc.) someone manages to get the password after 3 years. Now the cracker is golden and has an account of a password that is good for at least 2 years in this case. They can then use this for other attacks and get more passwords for users that might be around for the next 10 years. Technology and security implementations continue to change and after a few years that uber secure password may just be a good password over time. Having a user change the password every week is one extreme, never require a password change is the other extreme. I believe somewhere in between these extremes there is a balancing point where having users change passwords is beneficial for security. Of course you can choose any policy that you feel comfortable with.

So set the system to inform the user when they last logged in. If the user sees their last login wasn't when they last logged in they know their password is compromised and can change it immediately and to something totally different, rather than being blissfully unaware until the system forces them to change it resulting in them changing MyPasswordToComplyWithSillyRule101 to MyPasswordToComplyWithSillyRule102 which the person who cracked their password will probably try first of all when they realise ...101 doesn't work any more.

True, choosing a very complex password foils computer cracking techniques. However, for this to be the only defense requires that we be absolutely certain that the password has not been compromised in any other way (e.g. social engineering, etc.). I am reasonably sure that my own password has not been compromised. The passwords of my users who have access to sensitive data? Not reasonably sure at all.

Hello all. I live in Argentina, and some keyboards you see are in spanish, some in english. So the symbols are not always in the same place (simply think about letter "??"). And, sometimes, if the language of the OS is different from the language of the keyboard... guess what. So, if you live in USA and plan to travel abroad, take care of that. That??s the reason why I think carefully about what symbols I`ll use in my passwords.

... along with the middle name of your oldest child. Both are easily retrieved on Facebook and through other means.

This implies the "hacker" knows you used these two particular pieces of information out of multitude of info-facts available on and off line.More likely to fall to a brute force attack than a Google search.

It's much stronger than either alone, but granted, not as strong as the other suggestions.

There are techniques our there to grab keywords from social media and then to mix and match them as a part of a dictionary attack. This greatly increases the attack success rate.

Bill

I know it's possible, but I have to ask "how can you never test a backup?" At the least, you try it out to get a file back or something. I backup everything on my computers between daily and once a month, and these backups have saved my butt more times than I can even remember. If you do backups on a regular basis, you can even get a file you accidentally delete or overwrite back without much effort. But I guess there are just some people who do a backup and assume that's all they have to do, then forget the thing even exists when they finally needed it.

Besides, what does it mean if someone has been in IT longer than someone
else? I've been around for over 30 years, and I can say from the viewpoint
of someone being forced to change passwords at excessively short intervals
that it does not work! Everyone either wrote the new password down or would
print a screenshot of it. If they lost that, they would ask for another password
to be assigned, then write it down or take the screenshot. So, outside of a
bit of inconvenience to the user, what does forcing password change every
month accomplish? Not much. A strong password that is not easily guessed
but can be remembered seems to be a more reasonable approach.

edit to add...
those "new" ideas were rebuffed by the 15th century church leaders as well...
how dare those young heretics suggest the world is not flat but is round!!

See my comment above.

Bill

It is very common that strong passwords seam to mean - not possible for a human to remember except if they write them down. Security is more than just the password, it is the entire security of the system and this includes the person at the end. It is all very well if systems create strong passwords for login if the person at the end keeps forgetting it so must write it on a post-it note. A strong password is long - 16 characters with numbers (some server-OS choke on punctuation). Use multiple short words joined that is funny, then users will remember !

Hackers take the path of least resistance..........passwords are only one hurdle to a breach!
Neither password strength nor password changes keep a real hacker from the goal of breaching a network.........2 factor authentication ought to be a must for anyone who wants REAL secure access (puts a minimum of two hurdles in the path). Then you can have a password that is somewhat memorable and not have to change it because the 2nd factor is constantly changing. Second factor authentication is affordable (FREE....Google Authenticator) for all or minimal cost (Authanvil or Lastpass) at best so there is no reason everyone cannot go beyond single factor authentication (password only......too easy to hack regardless of strength or frequency of change) to using something of today's technology to secure access to nearly anything.

Complex passwords are okay, but probably not as helpful as a lot of people think. Website logins are too slow and are probably going to lock someone out before they are able to do any serious cracking. The vast majority of breaches occur through social engineering, as people are persuaded to give up their security information voluntarily. It may be something seemingly minor, but it can lead a hacker to thread through increasingly important accounts to, say, one's bank account.

Related: Perhaps you should have added #11: Logging into your secure account on an insecure computer. Public computers or even your friend's computer may have malware that will send your login information to some hacker in eastern Europe. A complex password won't help avoid this, but frequent password changes might alleviate your risk.

The reason to change passwords regularly is so that if a user's password has been compromised that access will cease to work at some point, so the more frequent the password changes, the less likely you will face long term damage from a compromised system. (incidently, the passwords doesn't even have to be compromised, a skilled technician can simply capture a user's ID / pass hash and pass that if the transmission isn't salted). I see where you are coming from with that, but it is a legitimate security measure.

Yet another article recommending multiple and diverse "difficult to remember" passwords. And, as always, no workable idea of how to keep track of all these (many!) passwords. Useless advice without a practical way to make it useful.

frequent password change concept are pushing it for the system access password on the corporate networks where the data never goes outside the corporate network anyway, thus most of the options to intercept and collect the password aren't able to work as they don't have the access. It's often just some fools paranoia about passwords.

One military base I worked at we had a corporate network that wasn't linked to the Internet and the fellow responsible for base IT had the staff change their password each year just after the major tour of duty rotations. His replacement insisted on monthly changes. After three months I was able to crack 80% of the passwords by just entering abusive phrases as that's the only way the troops could remember the constantly changing passwords. After hearing about this the Base Commander issued a base policy of annual password changes. Password policy was always - password length 12 to 25 characters must have at least on capital and not as the first or last character and two numerals with one of them in a place other than either end. It was definitely complex enough all the time.

The trouble with corporate policies on changing passwords is that when you're told you must have a password of 8 characters or more, it must have numbers and letters (both uppercase and lowercase) in it, and it can't be any of the last 13 passwords, and you have to have different passwords for each system, one has to ask how many jumbles of numbers and letters the average person can be expected to remember. Was my login password ahG39f?r or was that my email password? Or was it aHG39f?r, I can't quite remember which ones I capitalised.

If people can't remember their passwords they end up writing them down, which makes the system less secure rather than more secure. Or they put them all in a file with a single password, which means there's one single point of failure for every system they can access, and for good measure the corporate IT security people have no control over how (or even whether) that file is secured.

Ultimately the purpose of security is to be as invisible as possible to authorised users while being as obstructive as possible to unauthorised users. When it becomes obstructive to authorised users they'll look to circumvent it for their own convenience, which means that as security becomes more comprehensive according to the textbook it becomes weaker in reality.

Some already alluded to hackers using other methods of breaking into systems these days.

Just like the security of modern cars is such that it's all but impossible to break into them and drive them off, so would-be car thieves simply change their mode of operation to steal the keys. There are all sorts of tricks they pull to trick motorists into stopping, or they just break into your house and steal the keys.

A chain is as strong as its weakest link. So much of what passes for security is focussing on one link, which is far from the weakest already, and trying to make it ever-stronger. In the meantime the weak point is elsewhere.

were driving me crazy. Our company bought out another and now we are setting on two different servers. Add to that the time sheet reporting and expense account reporting and medical site. Then the 401K on a different site. At first I did have just one password, but then I discovered KeePass and now I am able to make all the passwords complex and different. I use a really strong password for the KeePass program and for my login to my computer. My solution to this password problem, and I am sure there are other programs like this one. And yes I don't see how changing a password is going to help any. If someone breaks my password, they are not going to wait 3 months to use it. It will be compromised immediately.

As others have pointed out a strong password is more important than changing passwords. Having passwords that expire on a regular basis leads to weak passwords, forgotten passwords or users who write them down on postits that are no more than an arms length away from their computer. All that are huge problems. Another thing that users should be regularly checking is when their ID last logged in and from what IP address. I always check that. If I see a problem, then that is my cue to fix my password. So far, knock on wood, no problems of the sort.

Everyone posting on this thread is quite password conscious, and is *relatively* unlikely to get hacked. The weakest links are the careless and clueless users who don't understand security, and for whom following all our great advice would annoying at best, and probably just won't happen. The reality is that we are dealing with ordinary people, not geeks, and for that reason, passwords are a pretty poor method of protecting information.

changing the password is necessary not for the sake of making more and more difficulty to guess but to make sure that whoever comes into knowing it may not make use of it for such at time which you have not changed it. in the view of this thus, it is necessary that we periodically change our passwords.

2mo.

WPA2/AES has NOT been cracked; read the linked article. WPA/TKIP has only been PARTIALLY cracked (cracking TKIP does not give a hacker access to the key), and best practice has always been to use WPA2 if your hardware supports it. The issue with WPA2-PSK actually is that users often pick pre-shared keys that are too short and not complex enough, and of course then it's susceptible to brute force like any other authentication method. If you use a PSK that is 25 characters or longer and random, WPA2 is secure. The other issue with any PSK method is that the key is stored on the device, so if it is stolen, or if an employee is terminated, the unauthorized user has access to your network. WPA2-Enterprise avoids that by using a backend Radius server.

This artical is very informative.
Appriciate the work