Welcome to WebmasterWorld Guest from 100.25.214.89

Forum Moderators: phranque

Message Too Old, No Replies

Good Password Guidance, Tips and Ideas For Users and Systems Managers

     
5:25 pm on Sep 15, 2015 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:May 9, 2000
posts:26126
votes: 950


We all know that good passwords are essential for many services, and we've all got our own ways of creating, and managing passwords. Of course, there are plans to do away with passwords using biometric scanners, or face recognition, etc., but we're a long way away from that for all the different services we use. Just about every service requires a password these days, and managing passwords has been a pain for a long time, even if you use a password database tool: You have to make sure you have your database with you at all times, and, of course, as I discovered, the usb memory stick has to be resilient. Of course, I have a backup of the data, but, I only had one copy with me, and somehow, the memory on the USB stick became corrupted.

What about webmasters and system managers that are managing users' accounts? There have been many high profile examples of systems that have been compromised, in some shape or form, and those user details leaked, resulting in even more user grief. Whether those sites and services put real effort into protecting accounts is up for debate, but it's clear that many systems need hardening to help block access to the data in the first place, and then, if there is a break in, how well-protected (encrypted) is the data? Here's some recently published information from the UK government on password guidance. [gov.uk]

Another aspect in designing an effective system is how easy or difficult it is for users to get password reminders or resets. Some services i've used seems to take an age to re-send a new password to re-set the account, and others are pretty much instant. People shouldn't be waiting for their password reminders and resets. To get over e-mail sniffing, some services use a text message on your phone to confirm authorisation. This double authentication is going to help under certain circumstances, but it does rely on the mobile phone signal, and the speed of the text receipt. People don't like waiting.

I read today that users still continue to make use of weak and obvious passwords. For example, the partner cheating site [webmasterworld.com] that was hacked had over 120,000 users with the password "123456", and 48,000 with "12345", and in third place, 39,000 with "password" as their password. lol Additionally, almost 5-million users only used lower case passwords.

Recently, I was watching a presentation where password hardness testing was being undertaken and it showed that good passwords can take many millions of years to crack, but the downside to users is they are totally unmemorable, and it also showed that many systems can't actually cope with some of the more sophisticated characters in passwords.

Can users be trusted with the choice of their own passwords? Are systems built to help users choose and use effective passwords that are more difficult to crack? Are webmasters and systems developers failing to provide users with adequate learning and advice on user passwords, and relying on users to protect their own accounts?

Where does the buck stop when there's a hack?

When was the last time you reviewed your system security, and what tips do you have to help protect systems?
5:56 pm on Sept 15, 2015 (gmt 0)

Senior Member from FR 

WebmasterWorld Senior Member leosghost is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Feb 15, 2004
posts:7139
votes: 412


A tip for UK gov..when your own services, departments or contractors leave USB keys / CDs / DVDs / laptops with unencrypted non password protected data on trains and in taxis..as happens all too frequently..

Don't fine the govt Department..that is just the tax payers left hand paying the tax payers right hand..

Fire ( with no golden pensions ) the department heads and the senior civil servants that allowed the situation to happen..

The UK gov giving data security advice, is like the Pope giving sex lessons..

Unfortunately..anyone who discusses their approach to password security in public ( or even in private ) only provides ( inadvertently ) pointers as to how their own systems may be breached..you tell me how to protect my system, and I'll then have a damn good idea how you are protecting yours, which would save me a lot of time and effort in the wrong directions if I wanted to get into yours..
8:22 pm on Sept 15, 2015 (gmt 0)

Senior Member from US 

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time 5+ Year Member Top Contributors Of The Month

joined:Apr 9, 2011
posts:15648
votes: 798


:: shuffling papers ::

Yup, thought so.

[xkcd.com...]
10:44 am on Sept 16, 2015 (gmt 0)

Administrator from GB 

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:May 9, 2000
posts:26126
votes: 950


Joking aside, site security IS important, and that includes how people manage the data. Laugh at other's malpractice, by all means, and i'll be the first to think it's stupid that data is left lying around, but that's not what I wanted to discuss. And, we certainly don't want to discuss the detail.

I spoke to a company about their site security and they hadn't done much at all. They have a database, but it was easy to track down, even if it didn't store sensitive data. I'm not a security expert, but I do know some that are involved in the sector. They can really put site security through its paces.

It's also about usability, so that legitimate users don't get locked out.
11:40 am on Sept 16, 2015 (gmt 0)

Senior Member from FR 

WebmasterWorld Senior Member leosghost is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month

joined:Feb 15, 2004
posts:7139
votes: 412


Databases can be encrypted..but that means paying for commercial software..which most people do not want to do.
Mobile phone verification from sites ( including Google, facebook et al ) is merely an attempt by them ( and the "security services" ) to make it easier for them to join their dots about users..not to enhance users security..

Win10 ( and MS are retrofitting existing installations of win7, win8 and win8.1 to do the same via "updates" to them , not via updates to win10, your win box may have already been "adjusted" to do this by MS with some recent "updates" ) sends all user passwords to MS servers, and sends any information that you may have about your users on your machine..That makes use of those operating systems illegal in some jurisdictions..

Data ( including obviously password data and account data , user details etc ) stored on servers in some jurisdictions ( which ones ? you can find by searching ) is automatically passed to outside "agencies"..or they are allowed "access" ( without court orders ) without that "access" being disclosed to either the site owners or site users ..

So..don't host in those jurisdictions..

Wordpress ( and it's myriad add ons and plugins )...<= hack magnet with more security holes than a colander..simple..don't use it..

An incredible number of sites send login names and password instructions and actual passwords themselves in emails clear text..

Don't be one of them..

Don't use password systems ( or any security systems ) that rely upon flash or silverlight etc to work ) many banks and institutions, many sites, in many countries ..still do this..

There are many many more "don'ts"...