Posts by Dragonii

Why use passwords ?

What surprises me still is why are we still using passwords for authentication purposes.

Focusing only on server-side attacks (i.e. SAM hashes dumps), why not use certificates to ensure *very* strong and random passwords at a 4 digits PIN access away ? Agreed, probably the solution is more enterprise oriented but aren't those targets the more attractive today ?

Why rely on humans to come up with a good password ? Just let the machine do its thing and relieve the burden from the user. Yes, its individual password is still vulnerable to local attacks but if the password hashes DB is leaked, the contents are well protected.

I've liked the paper to mention some words on this...

Large and complex IT systems to blame?

Indeed. Until you've worked inside a large international organisation, you would be amazed at their internal IT security.

Excluding the webmail problem, which I think that it the least of their problems, there are ways to avoid APT but they require more than security products, they require knowledge of what are you fighting against and specially management support in order to implement drastic changes to the way people work.

And don't be too hasty to point the finger at the fat Eurocrats. Everyone is concerned by this, the only issue is to make them aware of it.