{"id":18439,"date":"2022-03-07T10:30:03","date_gmt":"2022-03-07T18:30:03","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2022\/03\/07\/news-12172\/"},"modified":"2022-03-07T10:30:03","modified_gmt":"2022-03-07T18:30:03","slug":"news-12172","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2022\/03\/07\/news-12172\/","title":{"rendered":"Change my password? AGAIN?"},"content":{"rendered":"

<\/p>\n

Credit to Author: Susan Bradley| Date: Mon, 07 Mar 2022 10:02:00 -0800<\/strong><\/p>\n

Every year at this time, I have to fill out my firm\u2019s cyber insurance application \u2014 and every year they ask whether we encourage strong passwords and change them often. This question annoys me tremendously, because we really shouldn\u2019t be changing passwords often. We should instead be choosing authentication processes that appropriately match site risks; using a password should be the last<\/em> thing you want to rely on.<\/p>\n

First, think about the information and data a website is keeping on you. The sites we want to offer the most protections often have the weakest. Where you can, always add two-factor authentication to a site\u2019s access. (Not all multi-factor authentication is created equally, but some sort of multi-factor is better than none. If it encourages attackers to go elsewhere, it\u2019s done its job.<\/p>\n

Banks and financial organizations often do slow rollouts of authentication software, so you have to settle for a username, a password, and then a two-factor authentication tool \u2014 typically a text sent to your smartphone. While smartphone SIM chips can be cloned (so attackers can spoof your phone and intercept texts), the vast majority of us are still better off with this process. Relying only on a username and password for bank access puts your account at risk.<\/p>\n

To be fair, not all passwords are created equal. If you have reused a password on another website or for a different bank account, you\u2019re more at risk. Attackers often steal or purchase a repository of hacked passwords or \u201chashes\u201d of passwords and then try to reuse them to gain access to other sites. If you\u2019ve ever received a password reset notification \u2014 and you didn\u2019t attempt to sign into the account \u2014 that\u2019s probably an attacker trying a password-stuffing attack on site. So don\u2019t reuse the same password anywhere.<\/p>\n

For years, online users were told to vary their usernames to see whether a site was selling your information elsewhere. Now, I see that same sort of recommendation for choosing passwords or passphrases. There is a very funny video online<\/a> that nails the process people use to pick passwords. You started by picking a password \u2014 and then use it everywhere. Then, when a site says that one isn\u2019t good enough you add another letter. Then you need a special character (like the exclamation mark). The truth is: our brains can only hold so much information, which is why we tend to re-use the same password, or a variation of it, on multiple sites.<\/p>\n

Microsoft often recommends the use of PINs<\/a> over passwords. It argues that a PIN is specific to the device, so if an attacker steals your PIN they have to steal the device, too. There\u2019s one problem with this argument. I have several devices that require a PIN, and I have to admit I use the same PIN on all of them because I can\u2019t remember PINs any better than passwords. According to Microsoft, the advantage of a PIN is that \u201cwhen the PIN is created, it establishes a trusted relationship with the identity provider and creates an asymmetric key pair that is used for authentication.\u201d A PIN is backed up by the Trusted Platform Module (TPM) chip on the computer. (If you wondered why you had a Windows 10 machine that demanded you use a PIN instead of a password, it\u2019s because the operating system registered that you had the necessary hardware to support the process.) If you don\u2019t need or want to have a PIN you can remove it. Press the Windows key and the I key to open settings. Choose accounts and then click on continue. In the left panel, click on sign-in options. On the right panel, choose \u201cRemove,\u201d under PIN section.<\/p>\n

Efforts to improve online security are spreading. Intuit recently started requiring an online password, even to log into the desktop<\/em> version of QuickBooks, its accounting and bookkeeping software. Those with a QuickBooks file that includes sensitive information such as payroll or credit cards<\/a> must also sign in with an online account first. For years desktop users have only needed a username. Even so, many users felt the change seemed heavy-handed, especially when combined with a mandate to change passwords every 90 days<\/a>. (Here again is that idea that changing passwords is preferable to better passwords or using the Google authenticator app to access your Intuit account.<\/p>\n

Even if you\u2019re a small business, you can add two-factor authentication to your own computer access to bolster security. Duo.com, for example, offers DUO free<\/a> for deployment with fewer than 10 users. It provides a two-factor prompt<\/a> to a smartphone or even the Apple Watch. I use it in my office for remote access to ensure that when anyone connects from outside the office, they have to respond to a prompt on their phone to gain access. Its ease of use means I can ensure that remote access is secure, and I can avoid excessive password changes.<\/p>\n

If you\u2019re a vendor or a cyber insurance agency, listen up! Stop asking me to change my password. Ask me instead what my favorite multi-factor application is. That\u2019s the quickest way to improve security for most users.<\/p>\n

http:\/\/www.computerworld.com\/category\/security\/index.rss<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

<\/p>\n

Credit to Author: Susan Bradley| Date: Mon, 07 Mar 2022 10:02:00 -0800<\/strong><\/p>\n

\n
\n

Every year at this time, I have to fill out my firm\u2019s cyber insurance application \u2014 and every year they ask whether we encourage strong passwords and change them often. This question annoys me tremendously, because we really shouldn\u2019t be changing passwords often. We should instead be choosing authentication processes that appropriately match site risks; using a password should be the last<\/em> thing you want to rely on.<\/p>\n

First, think about the information and data a website is keeping on you. The sites we want to offer the most protections often have the weakest. Where you can, always add two-factor authentication to a site\u2019s access. (Not all multi-factor authentication is created equally, but some sort of multi-factor is better than none. If it encourages attackers to go elsewhere, it\u2019s done its job.<\/p>\n

To read this article in full, please click here<\/a><\/p>\n<\/section>\n<\/article>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[11062,10643],"tags":[714,24580,10525],"class_list":["post-18439","post","type-post","status-publish","format-standard","hentry","category-computerworld","category-independent","tag-security","tag-small-and-medium-business","tag-windows"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18439","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=18439"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/18439\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=18439"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=18439"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=18439"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}