Posted by:
admin
13 years, 11 months ago
Here we go again. Another attack results in a password file being posted on the Internet. Queue the analysis of the password file. State how users always choose the simplest passwords and cannot be trusted with their own security choices. Of course, this is a great time for WiKID to note that two-factor authentication solves this problem.
However, this is not the case. The users that chose 'password' or 'gawker' or whatever are the winners. If your Gawker password is '6asd980*&)-0sdf-09=9=2354' plus some ascii characters that you have the cut and paste each time, you are the loser. If you log into Gawker using a 12 digit alphanumeric password generated by a pseudo-random password generator, you are just as owned as the person who uses 'letmein'.
And while two-factor authentication will solve this problem, even WiKID's multi-domain capability would get awkward for all the sites that need to have account information, but don't really require a great deal of security. The concern is that users will use the same credentials across multiple sites and that some of those sites will be more critical than others. It's less of a concern now that most critical sites (e.g. banking & finance) have password policies. What happened in this case is that the user's Twitter accounts were compromised to send spam. Now the user face the hassle of reclaiming their Twitter accounts.
What we need is more support for Oauth, SAML and other services to minimize the need for static passwords for low-security sites. That brings up two points: 1. Do I want Google or Facebook tracking my logins across the Internet? and 2. If I have all these keys to kingdom in one place, shouldn't I have two-factor authentication for that?
Of course, this situation shows that a certain number users already have created a Twitter/Gawker connection.
Share on Twitter Share on Facebook
Recent Posts
- Blast-RADIUS attack
- The latest WiKID version includes an SBOM
- WiKID 6 is released!
- Log4j CVE-2021-44228
- Questions about 2FA for AD admins
Archive
2024
2022
- December (1)
2021
2019
2018
2017
2016
2015
2014
- December (2)
- November (3)
- October (3)
- September (5)
- August (4)
- July (5)
- June (5)
- May (2)
- April (2)
- March (2)
- February (3)
- January (1)
2013
2012
- December (1)
- November (1)
- October (5)
- September (1)
- August (1)
- June (2)
- May (2)
- April (1)
- March (2)
- February (3)
- January (1)
2011
2010
- December (2)
- November (3)
- October (3)
- September (4)
- August (1)
- July (1)
- June (3)
- May (3)
- April (1)
- March (1)
- February (6)
- January (3)
2009
- December (4)
- November (1)
- October (3)
- September (3)
- August (2)
- July (5)
- June (6)
- May (8)
- April (7)
- March (6)
- February (4)
- January (427)
2008
- December (1)
Categories
- PCI-DSS (2)
- Two-factor authentication (3)
Tags
- wireless-cellular-mobile-devices (7)
- Two-factor authentication (10)
- Wireless, cellular, mobile devices (6)
- NPS (1)
- Phishing and Fraud (111)
- Active Directory (1)
- pam-radius (3)
- privileged access (2)
- Cloud Security (10)
- Mutual Authentication (60)
- Web Application Authentication (1)
- Authentication Attacks (99)
- pci (50)
- Security and Economics (97)
- WiKID (133)
- pam (2)
- VPN (1)
- Installation (2)
- RADIUS Server (1)
- Open Source (64)
- Tutorial (2)
- Strong Authentication (35)
- Information Security (137)
- Transaction Authentication (13)
- Miscellaneous (100)
- Linux (2)
- transaction-authentication (6)
- Two Factor Authentication (254)