Oh really. I guess those who have had their password exposed by a leak somewhere, as I have, should not worry at all and just keep the same password for years. Totally exposed. Many possibly do not even know what their never changing passwords are and just rely on their Browser to auto-login. Or perhaps a password manager.
Your two links support what I and others have been saying in this topic. Forget the password complexity and go for two factor authentication as the way forward.
Every login requires the use of a one-time password that cannot be compromised.
If six with salt is too short to resist offline brute force attack then six without salt surely is likewise. In other words, my discussion âassumedâ current best practice because anything less than that will just be even easier to break.
If passwords are not hashed at all (i.e. are stored plaintext) then no length of password is adequate if someone has direct access to the password database. Your 20 character password is as broken as @PhilTâs 6 character password.
At best that advice could be described as controversial.
Too frequent password expiry, in addition to encouraging guessable passwords,
encourages passwords to be written down (or stored in a file), which are potential exposures
encourages sharing of accounts (loss of accountability) while a user is unable to use his or her own account
increases support and other costs with people more often unable to access their own accounts (either because they have forgotten the password or because they have locked themselves out)
One example that I see in the real world is that password expiry encourages passwords of the form: somewhat strong stem + predictable suffix.
For example, with monthly expiry, if my password ends in JAN20 today then by next month it will end FEB20 - or if my password ends in 63 today then by next month it will end in 64. That means that if a userâs password is compromised then all future passwords for that user are compromised. While it is possible to prevent users doing that, it is difficult to detect all cases.
Mandatory periodic password changes is a darling of security auditors. It has become as much a religion as partisan politics. The underlying reality is that few companies âdo securityâ adequately, many companies are naive about hacks and intrusions, and the best outcome is generally making it as difficult for the âbad guysâ as possible, PhD theses in better security or security techniques notwithstanding.
Deploy whatever, and âtheyâ will come. Yet none of that seems an acceptable excuse to not roll out current best practice, be it feel good or actually good in the hands of an expert.
Security auditors in my experience care nothing about the problems of how some measures they deem âbest practiceâ will be implemented. How much administration and infrastructure cost it would entail.
The law of diminishing returns usually applies to IT systems. Protecting against the blatant and obvious security issues is usually easy and inexpensive to do.
Protecting against the esoteric attack methods that some boffins in their labs propose as âpossibleâ is usually completely infeasible in the real world.
On topic humour. With reference to FB having a bit of a fit about Appleâs new tracking setting this one is too good to not post.
Ordering a Pizza in 2022
CALLER: Is this Pizza Hut? GOOGLE: No sir, itâs Google Pizza.
CALLER: I must have dialed a wrong number, sorry. GOOGLE: No sir, Google bought Pizza Hut last month.
CALLER: OK. I would like to order a pizza. GOOGLE: Do you want your usual, sir?
CALLER: My usual? You know me? GOOGLE: According to our caller ID data sheet, the last 12 times you called you ordered an extra-large pizza with three cheeses, sausage, pepperoni, mushrooms and meatballs on a thick crust.
CALLER: Super! Thatâs what Iâll have. GOOGLE: May I suggest that this time you order a pizza with ricotta, arugula, sun-dried tomatoes and olives on a whole wheat gluten-free thin crust?
CALLER: What? I donât want a vegetarian pizza! GOOGLE: Your cholesterol is not good, sir.
CALLER: How the hell do you know that? GOOGLE: Well, we cross-referenced your home phone number with your medical records. We have the result of your blood tests for the last 7 years.
CALLER: Okay, but I do not want your rotten vegetarian pizza! I already take medication for my cholesterol. GOOGLE: Excuse me sir, but you have not taken your medication regularly. According to our database, you purchased only a box of 30 cholesterol tablets once at Lloyds Pharmacy, 4 months ago.
CALLER: I bought more from another Pharmacy. GOOGLE: That doesnât show on your credit card statement.
CALLER: I paid in cash. GOOGLE: But you did not withdraw enough cash according to your bank statement.
CALLER: I have other sources of cash. GOOGLE: That doesnât show on your latest tax returns, unless you bought them using an undeclared income source, which is against the law!
CALLER: WHAT THE HECK? GOOGLE: Iâm sorry sir, we use such information only with the sole intention of helping you.
CALLER: Enough already! Iâm sick of Google, Facebook, Twitter, WhatsApp and all the others. Iâm going to an island without the internet, TV, where there is no phone service and no one to watch me or spy on me. GOOGLE: I understand sir, but you need to renew your passport first. It expired 6 weeks agoâŠ
GOOGLE: I have just emailed you the form, prefilled for your convenience. We are currently offering our passport application service for 50% off, so simply return the electronically signed form to the source email address and we will submit it on your behalf along with a copy of your birth certificate, current driverâs licence and a current passport photo. This service has a guaranteed three day turnaround for only $2.00 plus the passport office fee. It will be charged to your Google Pay account.
Caller: Where did you get my photo? Wait - you have copies of my birth certificate and driverâs licence⊠(insert bad language here). GOOGLE: I have included them in the email, for your review.
I donât accept the blithe assurances from management (OK, I donât live in Florida so itâs not relevant what I think but if I did âŠ)
I wonder for the 1000th time why systems like this are even accessible from the internet.
Itâs about time governments got serious about critical infrastructure. Maybe this will be the wake-up call that they need. From voting machines to water to electricity âŠ
Clearview have scraped at least 3 Billion images from the Web for their Facial Recognition software. The Canadian Privacy Office has said that Clearview have breached the people in the images privacy by scraping without express consent.
From an article on the matter:
âNew-York-based Clearview, however, argued that it does not have a âreal and substantial connectionâ to the country so shouldnât need to abide by its laws, and that consent was not needed to scrape the photos since theyâre all publicly available anywayâ
This next link also has information about our Privacy Commissioner now looking into the Company (I havenât seen much local news on the matter though)
Have your pics been harvested?
Have they been used without your consent?
Want to check if they have then this non profit and free site may help but only for Flickr:
Evolution!
Itâs too convenient not to use the internet and too expensive to create dedicated physically seperate external connections to meet many business needs.
In the early days plant control systems and business systems existed like little islands. Hacking was an internal affair. Dependence on external connectivity is now the norm for everyday business.
Modern plant control and operational/performance reporting systems (SCADA) are sold partly through putting live monitoring on the desk (laptop) of every Senior Manager. And for key staff on their mobiles (alerts included) just in case you are playing golf and canât afford to be last to know!
Note: For the reported hack.
Properly done configuration limits any operator adjustable control settings within acceptable/safe maximum and minimums. A hacker may have gained remote access to a console. It is unlikely (slightly possible) the direct plant control system was also poorly configured. The reporting may have found opportunity in pessimistic predictions.
15,000 people with sodium hydroxide poisoning isnât very convenient though.
I understand how they want to use IT but remain unconvinced that remote access for control is needed.
Remote access for reporting could be arranged if done properly. The trouble is, from the limited details in the news story, I donât have high confidence that it would be done properly.
True. Provided that the hack stays at the âoperatorâ level. If this mob are real cowboys, it could be that a hacker can get in below the UI level and either change the limits or even change the code.
That is my impression. Imagine if the operator had gone off for lunch, leaving himself logged in - and hence not been there to notice the âremote control hackâ.
Yes, imagine if it was connected to the red button in the Presidential office in Washington? Cokes all around.
There is no intent to trivialise the event. It would be appropriate to leave imagination out of this. According to the facts there is no evidence this is how it is anywhere in Australia. We are looking at a one off instance in Florida USA.
Do we have sufficient factual content to agree the possibility was real or imagined? I suggest not. It simply suits the news item to choose imagination over fact, irrespective of establishing the full facts.
There seems little point in comparing how I might expect it will be from experience or how it would need to be for the worst possible outcome. Neither those with first hand knowledge of the event in Florida nor of every similar system in Australia are responding in this topic.
Expect that in Australia our Control System professionals design for Homer Simpson moments. Those I know are fans of said program. Perhaps we should ask directly what the assurances are.
That isnât how I roll though. I ask: can it happen to me? Rather than waiting until it does.
Dealing with âwhat if?â scenarios is walking a fine line between being recklessly unprepared or even negligent and having an overactive imagination.
Or I think you can either trust the Cert (import it) or you can possibly visit by ignoring the warning (if that still works).
One of the Exposing.ai project team members (the S.T.O.P. organisation (Surveillance Technology Oversight Project, Inc)) has a webpage but again it is a AO Kapersky Cert so may not allow you access: