Mosvalve
Max Output Level: -67 dBFS
- Total Posts : 1194
- Joined: 2009/11/20 20:49:33
- Location: New Jersey
- Status: offline
BobV ASUS Prime Z370-P - Intel Core i7+ 8700K 3.7GHZ 16GB Memory, Intel HD Graphics 630 GPU, Windows 10 Pro 64bit, , Sonar Platinum 64bit, Motu 828MK3 Hybrid, Warm Audio TB12 Pre, Warm Audio WA273 Pre, AEA RPQ 500 Pre, Warm Audio WA76 Compressor, Presonus D8 Pre, Tonelux EQ5P 500 Eq, Kush Electra 500 Eq, Lindell PEX 500 Eq, Yamaha 80M monitors with HS10W Sub, and a bunch of other good stuff. I have a Roland Juno-106 that's looking for a new home. PM me.
|
slartabartfast
Max Output Level: -22.5 dBFS
- Total Posts : 5289
- Joined: 2005/10/30 01:38:34
- Status: offline
Re: Here's the answer to all security problems
2016/11/10 15:42:18
(permalink)
Two obvious problems.
It automatically logs you into the websites when you're nearby. When you walk away, it automatically logs you out.
But here's the thing, the Everykey device itself doesn't store your passwords. They're safely stored in an encrypted format on an Everykey secure server.
You should never be able to log onto a secure site without being consciously aware that you are doing so, and you should never have to trust someone else to secure your passwords. You should definitely have strongly encrypted impossible to remember passwords under your personal control at all times, but you can do that better with an ordinary thumb drive and a portable version of a password encryptor like KeePass with a strong master passphrase.
This would not have helped Hillary much if her email was being sent in the clear over the internet to a server that was connected to the internet and open to attack. If all of the email transmitted was encrypted source to secure account on a secure server, then a strong password to log into that system might help in the course of the message, but if the server is compromised then reading email might be possible regardless.
|
Mosvalve
Max Output Level: -67 dBFS
- Total Posts : 1194
- Joined: 2009/11/20 20:49:33
- Location: New Jersey
- Status: offline
Re: Here's the answer to all security problems
2016/11/10 18:00:15
(permalink)
I would never use something like this. I use a USA thumb drive for my passwords. I don't keep any passwords or ID's on my PC. I was only joking about Hillary.
BobV ASUS Prime Z370-P - Intel Core i7+ 8700K 3.7GHZ 16GB Memory, Intel HD Graphics 630 GPU, Windows 10 Pro 64bit, , Sonar Platinum 64bit, Motu 828MK3 Hybrid, Warm Audio TB12 Pre, Warm Audio WA273 Pre, AEA RPQ 500 Pre, Warm Audio WA76 Compressor, Presonus D8 Pre, Tonelux EQ5P 500 Eq, Kush Electra 500 Eq, Lindell PEX 500 Eq, Yamaha 80M monitors with HS10W Sub, and a bunch of other good stuff. I have a Roland Juno-106 that's looking for a new home. PM me.
|
craigb
Max Output Level: 0 dBFS
- Total Posts : 41704
- Joined: 2009/01/28 23:13:04
- Location: The Pacific Northwestshire
- Status: offline
Re: Here's the answer to all security problems
2016/11/10 20:01:49
(permalink)
It's definitely getting harder as passwords get more and more "secure!"
"Here's your new auto-generated password. Please memorize it and don't write it down anywhere!"
F*(*)(&Ghjo39784js09)(*&DJ)#(UOJFOjg=&f$,.-_+_20u)(*#Y(hF(yoihogiho439joirftged9745
Time for all of you to head over to Beyond My DAW!
|
tlw
Max Output Level: -49.5 dBFS
- Total Posts : 2567
- Joined: 2008/10/11 22:06:32
- Location: West Midlands, UK
- Status: offline
Re: Here's the answer to all security problems
2016/11/10 20:49:19
(permalink)
craigb
It's definitely getting harder as passwords get more and more "secure!"
"Here's your new auto-generated password. Please memorize it and don't write it down anywhere!"
F*(*)(&Ghjo39784js09)(*&DJ)#(UOJFOjg=&f$,.-_+_20u)(*#Y(hF(yoihogiho439joirftged9745
And every 28 days the server will issue you a new password..... On the one hand Mrs TLW works for a UK government department that does pretty much that. Which means everyone keeps a note of their current password. Though to be fair it's a situation where the important thing is outsiders can't get in, not that staff might log in as each other once in an age and they use a lot of mobile technology. Which suggests to me that a once-and-for-all password might be the sensible answer to their problem, but what do I know. On the other hand in one local government department I once worked in allowed users to choose their one password and didn't enforce changes at all. There was a near panic in senior management when it turned out that one in three of the four hundred staff with mainframe access in that department all used the same password. The nickname of the local football team. And most of those staff did handle financial data with a risk of internal fraud. The answer was to compile a list of "not acceptable, use something else" passwords and an instruction to change your password if you thought someone else might know it.
Sonar Platinum 64bit, Windows 8.1 Pro 64bit, I7 3770K Ivybridge, 16GB Ram, Gigabyte Z77-D3H m/board, ATI 7750 graphics+ 1GB RAM, 2xIntel 520 series 220GB SSDs, 1 TB Samsung F3 + 1 TB WD HDDs, Seasonic fanless 460W psu, RME Fireface UFX, Focusrite Octopre. Assorted real synths, guitars, mandolins, diatonic accordions, percussion, fx and other stuff.
|
Mosvalve
Max Output Level: -67 dBFS
- Total Posts : 1194
- Joined: 2009/11/20 20:49:33
- Location: New Jersey
- Status: offline
Re: Here's the answer to all security problems
2016/11/10 20:58:14
(permalink)
craigb
It's definitely getting harder as passwords get more and more "secure!"
"Here's your new auto-generated password. Please memorize it and don't write it down anywhere!"
F*(*)(&Ghjo39784js09)(*&DJ)#(UOJFOjg=&f$,.-_+_20u)(*#Y(hF(yoihogiho439joirftged9745
Ok I got it memorized
BobV ASUS Prime Z370-P - Intel Core i7+ 8700K 3.7GHZ 16GB Memory, Intel HD Graphics 630 GPU, Windows 10 Pro 64bit, , Sonar Platinum 64bit, Motu 828MK3 Hybrid, Warm Audio TB12 Pre, Warm Audio WA273 Pre, AEA RPQ 500 Pre, Warm Audio WA76 Compressor, Presonus D8 Pre, Tonelux EQ5P 500 Eq, Kush Electra 500 Eq, Lindell PEX 500 Eq, Yamaha 80M monitors with HS10W Sub, and a bunch of other good stuff. I have a Roland Juno-106 that's looking for a new home. PM me.
|
craigb
Max Output Level: 0 dBFS
- Total Posts : 41704
- Joined: 2009/01/28 23:13:04
- Location: The Pacific Northwestshire
- Status: offline
Re: Here's the answer to all security problems
2016/11/10 23:26:29
(permalink)
Mosvalve
craigb
It's definitely getting harder as passwords get more and more "secure!"
"Here's your new auto-generated password. Please memorize it and don't write it down anywhere!"
F*(*)(&Ghjo39784js09)(*&DJ)#(UOJFOjg=&f$,.-_+_20u)(*#Y(hF(yoihogiho439joirftged9745
Ok I got it memorized
"Your password will be reset tomorrow."
Time for all of you to head over to Beyond My DAW!
|
craigb
Max Output Level: 0 dBFS
- Total Posts : 41704
- Joined: 2009/01/28 23:13:04
- Location: The Pacific Northwestshire
- Status: offline
Re: Here's the answer to all security problems
2016/11/10 23:33:46
(permalink)
With what I do I have access to a LOT of passwords used by our clients and most are, regrettably, but expectedly, very very simple (I've seen "Password1" more than a few times).
I think a more practical approach is the new double authentication type. Yes, it requires the person to remember two things, but one is usually a four-digit PIN. For the other I like a longer, but easy to remember, short sentences with some of the regular letters substituted (like "P!zz@L0ver"). Add that with a PIN and you should be pretty secure.
Time for all of you to head over to Beyond My DAW!
|
slartabartfast
Max Output Level: -22.5 dBFS
- Total Posts : 5289
- Joined: 2005/10/30 01:38:34
- Status: offline
Re: Here's the answer to all security problems
2016/11/11 12:18:47
(permalink)
There is a respectable school of thought in security that frequent password changes actually diminish the security of the system, for reasons alluded to by others in this thread. It is actually not commonly effective to direct an attack in which millions of possible passwords are attempted at logon, and it can be made virtually useless by blocking the account after a few unsuccessful attempts. Replacing a memorized password at frequent intervals results in the natural human response of keeping a written copy of the new password handy, and thus available to anyone with even limited physical access to the site like the cleaning staff, let alone a compromised co-worker. It also results in a lot of lost password requests, which are a pretty effective method of attack. Most robots that respond to a lost password are ludicrously insecure, often just sending a reset to the registered email or in response to a "security question" the answer to which is in the public record. Human system managers are also likely to suffer from security fatigue if they are constantly bombarded with requests and are not immune from social engineering attacks under the guise of lost passwords, which are the most routinely effective attacks in most organizations. And the embarrassment involved in forgetting your password may cause you to share it with a buddy, who you can text from a remote location to look it up on your desk blotter and send it to you. A strong passphrase, more easily remembered than a complex password that is not frequently changed probably provides more security than a constantly changing short password. https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes
|
eph221
Max Output Level: -28.5 dBFS
- Total Posts : 4665
- Joined: 2014/12/22 05:06:50
- Status: offline
Re: Here's the answer to all security problems
2016/11/11 12:23:54
(permalink)
slartabartfast
There is a respectable school of thought in security that frequent password changes actually diminish the security of the system, for reasons alluded to by others in this thread. It is actually not commonly effective to direct an attack in which millions of possible passwords are attempted at logon, and it can be made virtually useless by blocking the account after a few unsuccessful attempts. Replacing a memorized password at frequent intervals results in the natural human response of keeping a written copy of the new password handy, and thus available to anyone with even limited physical access to the site like the cleaning staff, let alone a compromised co-worker. It also results in a lot of lost password requests, which are a pretty effective method of attack. Most robots that respond to a lost password are ludicrously insecure, often just sending a reset to the registered email or in response to a "security question" the answer to which is in the public record. Human system managers are also likely to suffer from security fatigue if they are constantly bombarded with requests and are not immune from social engineering attacks under the guise of lost passwords, which are the most routinely effective attacks in most organizations. And the embarrassment involved in forgetting your password may cause you to share it with a buddy, who you can text from a remote location to look it up on your desk blotter and send it to you. A strong passphrase, more easily remembered than a complex password that is not frequently changed probably provides more security than a constantly changing short password.
https://www.ftc.gov/news-events/blogs/techftc/2016/03/time-rethink-mandatory-password-changes
Unfortunately, in the information (at least at this stage) one has to assume that all communications are unsecure. It's a peculiar type of morality that imposes itself: someone's always watching!
|