by Jay Heiser | August 8, 2012 | Comments Off
I was recently forced to change my password on a UK pension system, and my first 4 password offerings were unacceptable. I was baffled as to what part of the password didn’t meet the requirements. Today, I needed to login and review a pay stub, had to reset my password, and the exact same thing [...]
Comments Off
Category: Cloud security Tags: authentication, password complexity, password reuse, password slurping, passwords
by Jay Heiser | August 1, 2012 | 1 Comment
I spent a frustrating 5 minutes this weekend enduring a forced password change on a retirement account containing $400. I was sure that the randomly generated and completely unmemorizable string my password utility came up with exceeded 7 characters, contained upper and lower case letters, at least 1 number, and a special character. It finally [...]
Category: security Tags: authentication, Dropbox, hacking, password slurping, passwords, SaaS security, security
by Jay Heiser | April 19, 2012 | 1 Comment
I frequently see end user policies that contain the following two elements: Passwords must be so complex that they cannot be guessed Passwords may not be written down This is almost a model case of perfectly secure and perfectly unusable. I say almost, because the unfortunate fact of the matter is that strong passwords only [...]
Category: Policy security Tags: malware, password slurping, passwords, policy, slurping attack
by Jay Heiser | February 14, 2012 | Comments Off
While I would hope that the CEO of a major technology firm (albeit a somewhat diminished firm in this case) does not have a copy of the root password, the idea of ‘executive privilege’ maybe needs to be rethought.
Comments Off
Category: security Tags: authentication, hacking, passwords
by Jay Heiser | December 23, 2011 | 2 Comments
Demanding that users not write down their passwords is a quarterly opportunity to send the message that security policy is a useless bureaucratic exercise.
Category: Cloud IT Governance risk management security Tags: passwords, policy
by Jay Heiser | May 13, 2011 | Comments Off
How much mental anguish is the result of ignorant accounting grads working for Big 4s, struggling to find SOX-relevancy, totally oblivious to the huge amount of HCI research that has been done on the topics of passwords, so ignorant to the history of computer security that they don’t recognize they are demanding the use of pre-network, pre-malware controls that were developed by mathematicians who were completely ignoring human factors.
Comments Off
Category: risk management security Tags: authentication, malware, passwords, security, Security-Summit-NA, slurping, sniffing attack, standards
