Well thank you, Borkzilla
It's so nice of you to demonstrate once again that security is an afterthought for you.
Microsoft's sprint to push generative AI into all parts of its broad portfolio is reaching the cybersecurity realm with the introduction today of Security Copilot, a GPT-4-based service that might assist security teams pushing back against modern threats. Security Copilot is supposed to help security professionals identify …
Not an afterthought, a sales opportunity.
You've only got a P1 security license you pleb? You have a a duty to buy a P2 security license, and days of prepaid support instances. And our AI plugin to make sense of our graph api interface.
Anything else would be reckless, effectively handing the terabytes of data that your business sends to our cloud directly over to criminals /s
Since September 2021, the number of password attacks per second has risen from 579 to 1,287, according to Vasu Jakkal, corporate vice president of security, compliance, and identity at Microsoft. The median time for an attacker to access data in a phishing attack is an hour and 12 minutes, apparently.
Maybe I'm reading this wrong, but does this person suggest that miscreants manage to get in after 72 minutes worth of dictionary attacks? What about blocking after 3 failures and progressively extending the time before allowing a retry?
That said, I have never found using an active email address a good idea as part of a login - it means you give away 50% of the required credentials for free with every email. I don't use my main email addresses for logins, period. Speaking of which, my published email addresses are *all* aliases, which means that I could in theory use 'password' as password and a dictionary attack would still fail as they only ever see an alias (and thus attack an account that doesn't actually exist), not the actual email adres used for the IMAP login. Not all security has to be super complicated - sometimes it's simply a matter of misdirection by understanding the tools you work with.
Besides, it's also more fun :).
No, that’s not what phishing means.
While I also use aliases for logins, using a basic password would still be a bad idea as any SMTP server handling the email will know your alias exists, emails are not hashed and salted in app databases as passwords should be so a SQL injection theft of the DB would immediately breach your acccount, and if you use a predictable alias pattern like site@mydomain then once one goes it’s trivial to pop some other common sites you may use.
I note you didn’t say you do use “password”, but thought I’d offer the downsides!
Oh, don't worry - my passwords have always been of good quality so even if somehow the actual account details leaked it would not help, and my ISP not only runs the show on FreeBSD, they're also very proactive when it comes to security, one of the main reasons I use them.
For site passwords I apply the same rules, and I have taken to generating email addresses for those which allow me to track back where I used them. That way, if I see spam arrive I quickly know who's been naughty..