back to article So you've set up MFA and solved the Elvish riddle, but some still think passwords alone are secure enough

About a third of firms and organisations in Europe and the Middle East still believe the humble password is a good enough security measure, according to a survey carried out by French firm Thales. Moreover, two-thirds of the 400 IT professionals quizzed indicated "that their organisations plan to expand use of usernames and …

  1. Blackjack Silver badge

    Just make a really long password

    Requirements of sending a text message to confirm is you is really stupid because SMS tech is so unsafe is ridiculous.

    1. big_D Silver badge

      Re: Just make a really long password

      Password + Dongle here.

    2. Anonymous Coward
      Anonymous Coward

      Re: Just make a really long password

      It depends who and what you are trying to protect.

      SMS forging is trivial but generally beyond the reach of most phishers, particularly if you have strong checks around provisioning new devices (ie. Requiring a phone call to validate the device during office hours before allowing a device to be used and conditional access to match your allowed mobile device username).

      A determined attacker can challenge both of these, but most of those exploiting password weakness or single factor authentication aren't determined attackers, they're chancers with a huge pool of victims.

  2. macjules Silver badge
    Flame

    ... tens of thousands across the world were using such Fort Knox-style gems

    Remind me not to use NordVPN: if they can access their users' passwords.

    1. KittenHuffer Silver badge

      Re: ... tens of thousands across the world were using such Fort Knox-style gems

      They might have just done a dictionary attack on their own users to get an idea of what percentage were vulnerable to such an attack. I know that if I were in such a business it would be something I would at least suggest to manglement.

      1. Anonymous Coward
        Anonymous Coward

        Re: ... tens of thousands across the world were using such Fort Knox-style gems

        Shouldn't all passwords be hashed? They should not be able to access them at all.

    2. FrogsAndChips

      Re: ... tens of thousands across the world were using such Fort Knox-style gems

      El Reg has posted several reasons not to blindly trust NordVPN, but this is not one of them. Read the linked article and you'll see that the stats come from data compiled from breaches that exposed millions of passwords worldwide. Nothing to do with their customers' data.

  3. Chris Miller

    Secure enough for what?

    Security is always a trade-off between the value of what you're trying to protect (and the threats against it) and the cost of protection (in terms of user time, added complexity etc.) There are surely situations (for many users, it will be the majority of situations) where a password is sufficient security. How much would I be prepared to pay to protect someone else posting on here in my name? (Not much.)

    1. Arthur the cat Silver badge

      Re: Secure enough for what?

      Security is always a trade-off between the value of what you're trying to protect (and the threats against it) and the cost of protection (in terms of user time, added complexity etc.)

      As Bruce Schneier has been telling the world for years. If the threat is your little sister a reasonable password will do, if it's the NSA/GCHQ just send them your documents to save everybody's time. In between it's horses for courses.

  4. Mike 137 Silver badge

    "... believe the humble password is a good enough security measure"

    Good enough for what?

    There are purposes for which well defined passwords are sufficient, and other purposes for which they are not. There are no purposes for which the normal idiotic password rules are sufficient - "Pa55w0rD!".

    1. Charles 9 Silver badge

      Re: "... believe the humble password is a good enough security measure"

      So what happens when your two ends cross over and you end up with an UNhappy medium: in charge of something that legally requires high-strength protection AND a bunch of users with terrible memories?

      1. ThatOne Silver badge

        Re: "... believe the humble password is a good enough security measure"

        > requires high-strength protection AND a bunch of users with terrible memories

        I have a terrible memory for that kind of alphanumerical stuff (for other stuff my memory is excellent). My solution to the problem was a Password Manager (Bruce Schneier's one). That way I only have to memorize one, strong password, that much I can handle...

        I use it to also store all my important stuff (credit cards, passport numbers, tax IDs, you name it), and make copies of the database on several USB sticks I hide in my wallet, in my car, at some relatives' house, and so on. No cloud malarkey for me, but if my house burns down while I'm out shopping, I won't lose any of my important information nevertheless.

        1. Charles 9 Silver badge

          Re: "... believe the humble password is a good enough security measure"

          "I have a terrible memory for that kind of alphanumerical stuff (for other stuff my memory is excellent). My solution to the problem was a Password Manager (Bruce Schneier's one). That way I only have to memorize one, strong password, that much I can handle..."

          For some, even that is too much, meaning even password managers are risky, as are little black books and the like (keeps losing the keys, for goodness sakes). And yes, I LIVE with such a person (three guesses why).

  5. MarkSitkowski

    Re: "... believe the humble password is a good enough security measure"

    It all depends on how you enter your password - or not.

    https://www.linkedin.com/pulse/defence-humble-password-mark-sitkowski/

    1. Charles 9 Silver badge

      Re: "... believe the humble password is a good enough security measure"

      Still doesn't address that big bug-a-boo of people who can't remember their passwords. Passwords are a "something you know", but how do you use them with people who know nothing?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021