Browsed by
Month: September 2015

The Password is Dead — Long Live the Password

The Password is Dead — Long Live the Password

A password is a string of characters or words, known by a person, kept secret, that authenticates that person as being someone authorized to gain access to something. The idea of passwords is an ancient one: think of sentries for thousands of years yelling, “Halt, who goes there?  Give the password!” The first computer password scheme (probably) was implemented on CTSS by MIT around 1961.

Authentication is based on one or more factor from the list, “Something you know”, “Something you have”, “Who/what you are”.  Think of a typical password, an authentication device like an RSA token or gridcard, and a fingerprint or retina scan.

I have ranted previously that the third factor is a problem, in part because if the digital representation gets stolen, that’s it.  Game over.  You can change a password.  You can re-seed a token, or print off a new gridcard.  But changing your fingerprints is not readily accessible to most people.

Password storage ranges from bad to not-so-bad.  Users will memorize, use paper & pencil, keep them in a spreadsheet, etc.  If you can memorize good passwords, you’re ahead of the game.  Some people use an encrypted vault like KeePass or LastPass, but there is a definite sacrifice of convenience in these.  Ah, well, everything’s a trade-off.

I will be giving a talk about passwords at the Rochester Security Summit next Tuesday (Oct. 6, 2015) at 10:30 AM.  If you are not already registered for this event, why the heck not?

 

A Tacit Admission?

A Tacit Admission?

In this follow-up to Pen-GateAndroid Community reports that a victim of the design flaw was given a free repair of his Note 5:

The post was pretty detailed about everything that he did, including how many hours he waited. Bur the important take-away from his report is that he was not charged for anything by the service center. Does this mean that indirectly, Samsung is actually admitting that there really is a problem, since there were no extra charges to get it repaired? Or did the Samsung center guys just take pity on him (user name RobVanDam)?

I still say it’s a design flaw and I say now Samsung appears to agree, at least tacitly.

 

 

Jeep Hack and More

Jeep Hack and More

Uber just hired the two hackers who pulled this off, to make autonomous cars safer.

This means: Uber’s plans for the future don’t include Uber drivers.

That might even be the more disturbing implication of this story than the ridiculous vulnerability of Jeeps, and all other cars.  And LED light bulbs.  And TV sets.  And….

Good luck.