It’s 2022 and netizens are only now getting serious about cybersecurity End users, often viewed by infosec specialists as a corporation's weakest link, appear to be finally understanding the importance of good security and privacy practices. Since 2019, more US consumers have taken steps such as using stronger passwords to their home Wi-Fi networks, multi-factor authentication (MFA), blocking or …
As I always ask when this is said: strong against what?
There are at least half a dozen quite disparate attacks against passwords, each of which needs different protection to prevent.
The gross over-simplification of such rules as those quoted is a symptom of complete lack of understanding of the nature of the problem to be solved. But instead of gaining the necessary understanding, we fall back on repeating ancient mantras without thinking about whether they actually mean anything in the real world. The result is ineffectual pseudo-security, for which the end user commonly gets blamed. simply because they're in the weakest position to argue.
Recently had an incident at a supplier.
Said it was via a compromised password.
Someones account was leaked?
No
So someone phished it?
No
So someone shoulder surfed it?
No
So how did they get in?
Brute force
How often did the account lock out?
Lock out?
Yes from too many attempts?
Oh we don't do that it caused hassle in the past.
*face palms*
Even the most basic, even then not strong enough controls are routinely "a hassle".
>Lock out?
Yes from too many attempts?
Well...
As from the October 11th 2022 cumulative update:
All Windows versions can now block admin brute-force attacks
Although from the article it seems there are circumstances where this won't be enabled by default.
Additionally "Microsoft also announced today that it now requires local administrator accounts to use complex passwords"
My employer recently explained how to build "good" passwords. Overall it was ok, except where they recommended using symbols to swap out for letters, like @ instead of a.
You know, like the whole planet knows you do and builds into the password-breaking tools?
Yes, doing that adds to the password complexity and brute-forcing time. A tiny bit. But INSERTING a symbol at an unexpected place adds a LOT more, so teach people to do that instead!
tldr: Not P@$$w0rd, but Pa^ss*wo(rd
"anything that is discussed enough times at the dinner table eventually makes its way into the board room"
Eventually.
How reassuring.
That should probably explain all those "We take security very seriously" messages, when they don't have a fucking clue what it means.
While the numbers paint an improving picture for end users in general, until we get to NeverNeverLand where 100% of netizens follow best practices, end users will still be a corporation's weakest link. It only takes one to break the system.
By entering the code, you link the phone to you. Obviously no use for the initial transaction, but subsequent transactions...
Just having some fun, a financial institution is sending me the details of investments being requested by a firm of solicitors because it is my name and contact details on the death certificate; until such time as I provide them with a certified copy of the WiIl etc. they don't believe the solicitors have a legitimate interest in the investments.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2023
