Sigh.
Just got told by a company internal app that it's time to change my password.
Can we please stop with the fake #security? My password is a long string of randomly generated characters. Nobody's going to guess it any time soon.
Timeline
Post
Remote status
Context
11
@argv_minus_one I still believe in password rotation on long intervals (1 year min). Passwords that get spread across multiple systems (e.g. LDAP, OIDC) get used and abused and shoved into god knows what by people and it contains the damage to some extent of a lost first factor which happens all the time.
@7666 @argv_minus_one 1 year is reasonable and I would go even lower to 6 months at max. That said, there are companies that force password changes every 2 months and sometimes even faster. At that point it misses the point completely, because much more employees will just stick some number at the end or capitalize one letter and be done with it.
Guessing isn't the issue. If the hash gets exposed in a breach, attackers can brute-force it at their leisure. Rotation helps ensure that by the time they crack it, it's no longer valid. Rotation policy should thererore be based on projected brute-force time per string length, not arbitrary human calendar dates. Set a short password? Well then you're changing it often, don't like it, remember a longer password 🤷♀️
Yes, and if they brute-force it at their leisure, they gain…access to the same system they've already breached.
You didn't think I was reusing passwords, did you? I'm not completely incompetent.
Actually, they don't even gain that, because I've been notified that there's been a breach and have already changed my password.
So exactly which threat is being mitigated by time-based password rotation?
@argv_minus_one @nicholas @7666
>You didn't think I was reusing passwords, did you? I'm not completely incompetent.
You aren't 70+% of people in <insert your workplace>.
>So exactly which threat is being mitigated by time-based password rotation?
Forgotten accounts, password reuse.
>You didn't think I was reusing passwords, did you? I'm not completely incompetent.
You aren't 70+% of people in <insert your workplace>.
>So exactly which threat is being mitigated by time-based password rotation?
Forgotten accounts, password reuse.
@argv_minus_one @nicholas @7666 I mean forgotten accounts as accounts of employees that have been fired or left and weren't deactivated for whatever reason. That gives the account and absolute deadline where it is still active.
>Why are people at your workplace reusing passwords
Almost everybody that isn't tech savvy does that and there's exactly 0 ways to stop them from doing it, because they will never learn. Or people are just careless. Best you can do is force a password manager on people and put some higher password requirement on the vault password and some second factor. But have fun implementing that with Karen in HR.
>Why are people at your workplace reusing passwords
Almost everybody that isn't tech savvy does that and there's exactly 0 ways to stop them from doing it, because they will never learn. Or people are just careless. Best you can do is force a password manager on people and put some higher password requirement on the vault password and some second factor. But have fun implementing that with Karen in HR.
@argv_minus_one @nicholas @7666
>hardware tokens gets stolen or left somewhere
>game over
Amazing security. This push for hardware tokens as the solution to everything security genuinely annoys me. Instead of securing a single factor like a password with a second factor like a hardware token, the current push is to replace passwords completely with tokens, still making it a single factor authentication.
>hardware tokens gets stolen or left somewhere
>game over
Amazing security. This push for hardware tokens as the solution to everything security genuinely annoys me. Instead of securing a single factor like a password with a second factor like a hardware token, the current push is to replace passwords completely with tokens, still making it a single factor authentication.
Yes, that's the idea. MFA is security theater. The sum of a weak authentication method and a strong one is not significantly greater than the strong one by itself. The weak one is purely decorative. If both of them are weak then both of them are purely decorative. If both are strong then one is unnecessary.
And how the hell do you lose your hardware token without noticing? If it's gone, so are your car keys, your house keys, and your key into the office building!
And if you're worried people won't report a lost hardware token, you should be able to solve that with company policy:
“If you lose your hardware token, the punishment is we dock your pay by like $2 for a replacement token. If you lose your hardware token and try to cover up the fact that you lost it, the punishment is you're fired. Tokens are cheap; security breaches are expensive.”
Replies
7
@argv_minus_one @nicholas @7666 If I can take your token from you in a workplace and within 5 minutes or less gain access to everything, that is true security theater. Meanwhile you might get my token, but you probably aren't getting the password from me unless <xkcd 538>. If I can gain access to your whole computer by plugging in your token I stole, that is not security I would want near anything important.
>And how the hell do you lose your hardware token without noticing? If it's gone, so are your car keys, your house keys, and your key into the office building!
Idk, you leave your keys somewhere while on lunch in <company canteen>, i steal it from you in a hallway because you didn't have it securely on you,... Many different ways to achieve that. All it takes is a few minutes for someone prepared. Point is, your systems security might be high, but your physical security now sucks. In this case a smart card reader would actually be a really good solution and using your card to also log in to your computer, but barely any laptop now has a smart card reader.
On that note, it still vexes me that you can't setup a hardware key with password login on Windows I think. I have a hardware token on me almost at all times and I can set it up as a second factor on Linux with enough caffeine, but Windows can't do it (especially with an offline account).
>And how the hell do you lose your hardware token without noticing? If it's gone, so are your car keys, your house keys, and your key into the office building!
Idk, you leave your keys somewhere while on lunch in <company canteen>, i steal it from you in a hallway because you didn't have it securely on you,... Many different ways to achieve that. All it takes is a few minutes for someone prepared. Point is, your systems security might be high, but your physical security now sucks. In this case a smart card reader would actually be a really good solution and using your card to also log in to your computer, but barely any laptop now has a smart card reader.
On that note, it still vexes me that you can't setup a hardware key with password login on Windows I think. I have a hardware token on me almost at all times and I can set it up as a second factor on Linux with enough caffeine, but Windows can't do it (especially with an offline account).
You don't need xkcd 538 to break a weak password. And since we're talking about the password people type in by hand to login to their computers, not passwords stored in a password manager, goodness knows that password is going to be weak.
I suppose it would take more than 5 minutes, though.
Then again, if we're talking about the kind of ninja who could sneak into a corporate office building unnoticed, he probably already saw you type in your password…
@argv_minus_one @nicholas @7666
>Then again, if we're talking about the kind of ninja who could sneak into a corporate office building unnoticed, he probably already saw you type in your password…
You can have someone on the inside. That isn't that unheard of these days, especially in large profile companies that would already have hardware tokens. That said, offensive security is also a thing and yes, if you see couple of those guys in action, they can look like ninjas.
>Then again, if we're talking about the kind of ninja who could sneak into a corporate office building unnoticed, he probably already saw you type in your password…
You can have someone on the inside. That isn't that unheard of these days, especially in large profile companies that would already have hardware tokens. That said, offensive security is also a thing and yes, if you see couple of those guys in action, they can look like ninjas.
If the bad guys already have someone on the inside of your organization, you're already breached. They don't need to hack anything because they already have access legitimately.
The only way I can think of to solve that problem has absolutely nothing to do with computers: create a culture of mutual loyalty between employer and employee, so that no one is willing to betray the company in the first place.
Good luck selling that proposal to the shareholders, though…
I'm shocked to learn that Windows makes it hard to use a hardware token to log in. I remember Windows championing smart cards back in the 1990s when everybody else had never heard of anything other than passwords.
Old-fashioned card-slot-type smart card readers do seem to be a thing of the past now, but a cursory web search says some laptops have NFC interfaces and some smart cards are NFC enabled. That must be what the cool kids are using these days.
@argv_minus_one @nicholas @7666
>but a cursory web search says some laptops have NFC interfaces and some smart cards are NFC enabled.
Dell used to have NFC smart card readers on some of their laptops at least until recently. Don't know if they still do.
>but a cursory web search says some laptops have NFC interfaces and some smart cards are NFC enabled.
Dell used to have NFC smart card readers on some of their laptops at least until recently. Don't know if they still do.
@phnt @nicholas @7666 @argv_minus_one Sorry to interject but I just updated #Pleroma and I want to make sure federation is working (as the logs had a message saying it might not be working). If you can see this please say 'hi' or give an like/emoji reaction 🙏