by Dwayne Melancon - CTO at Tripwire - Tuesday, 30 September 2014.
When high profile password compromises occur, we often spend a lot of time focusing on advice to the users - “Use strong passwords;” “Don’t reuse passwords across sites;” “Don’t write passwords down;” “Don’t disclose your password via email or on an untrusted site;” and so forth.
User-centric scrutiny is a good place to spend time when we’re dealing with phishing attacks, but it doesn’t help much if an attacker breaks into a company’s systems and grabs the entire password database. In that case, they’ve grabbed all the weak passwords, but they’ve also grabbed the strong ones, too. In some cases, the attackers may also gain access to information that is even more valuable than the credentials themselves.
We’re used to asking the obvious questions like, “Were the passwords encrypted with a salted hash,” and “Does the web site use a secure form for logins?” From my interactions with breached companies, I believe we need to zoom out and look at password security from a broader perspective. Here are some areas that would benefit from greater scrutiny.
Help Net Security/ Article/ http://www.net-security.org/article.php?id=2135
Login to the community
No account yet? Create an account
Enter your username or e-mail address. We'll send you an e-mail with instructions to reset your password.