So you've set up MFA and solved the Elvish riddle, but some still think passwords alone are secure enough About a third of firms and organisations in Europe and the Middle East still believe the humble password is a good enough security measure, according to a survey carried out by French firm Thales. Moreover, two-thirds of the 400 IT professionals quizzed indicated "that their organisations plan to expand use of usernames and …
It depends who and what you are trying to protect.
SMS forging is trivial but generally beyond the reach of most phishers, particularly if you have strong checks around provisioning new devices (ie. Requiring a phone call to validate the device during office hours before allowing a device to be used and conditional access to match your allowed mobile device username).
A determined attacker can challenge both of these, but most of those exploiting password weakness or single factor authentication aren't determined attackers, they're chancers with a huge pool of victims.
They might have just done a dictionary attack on their own users to get an idea of what percentage were vulnerable to such an attack. I know that if I were in such a business it would be something I would at least suggest to manglement.
El Reg has posted several reasons not to blindly trust NordVPN, but this is not one of them. Read the linked article and you'll see that the stats come from data compiled from breaches that exposed millions of passwords worldwide. Nothing to do with their customers' data.
Security is always a trade-off between the value of what you're trying to protect (and the threats against it) and the cost of protection (in terms of user time, added complexity etc.) There are surely situations (for many users, it will be the majority of situations) where a password is sufficient security. How much would I be prepared to pay to protect someone else posting on here in my name? (Not much.)
Security is always a trade-off between the value of what you're trying to protect (and the threats against it) and the cost of protection (in terms of user time, added complexity etc.)
As Bruce Schneier has been telling the world for years. If the threat is your little sister a reasonable password will do, if it's the NSA/GCHQ just send them your documents to save everybody's time. In between it's horses for courses.
Good enough for what?
There are purposes for which well defined passwords are sufficient, and other purposes for which they are not. There are no purposes for which the normal idiotic password rules are sufficient - "Pa55w0rD!".
> requires high-strength protection AND a bunch of users with terrible memories
I have a terrible memory for that kind of alphanumerical stuff (for other stuff my memory is excellent). My solution to the problem was a Password Manager (Bruce Schneier's one). That way I only have to memorize one, strong password, that much I can handle...
I use it to also store all my important stuff (credit cards, passport numbers, tax IDs, you name it), and make copies of the database on several USB sticks I hide in my wallet, in my car, at some relatives' house, and so on. No cloud malarkey for me, but if my house burns down while I'm out shopping, I won't lose any of my important information nevertheless.
"I have a terrible memory for that kind of alphanumerical stuff (for other stuff my memory is excellent). My solution to the problem was a Password Manager (Bruce Schneier's one). That way I only have to memorize one, strong password, that much I can handle..."
For some, even that is too much, meaning even password managers are risky, as are little black books and the like (keeps losing the keys, for goodness sakes). And yes, I LIVE with such a person (three guesses why).
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
