Thursday, December 14, 2017
Home Tags Password

Tag: password

password is a word or string of characters used for user authentication to prove identity or access approval to gain access to a resource (example: an access code is a type of password), which is to be kept secret from those not allowed access.

The use of passwords is known to be ancient. Sentries would challenge those wishing to enter an area or approaching it to supply a password or watchword, and would only allow a person or group to pass if they knew the password. In modern times, user names and passwords are commonly used by people during a log in process that controls access to protected computer operating systems, mobile phones, cable TV decoders, automated teller machines (ATMs), etc. A typical computer user has passwords for many purposes: logging into accounts, retrieving e-mail, accessing applications, databases, networks, web sites, and even reading the morning newspaper online.

Despite the name, there is no need for passwords to be actual words; indeed passwords which are not actual words may be harder to guess, a desirable property. Some passwords are formed from multiple words and may more accurately be called a passphrase. The terms passcode and passkey are sometimes used when the secret information is purely numeric, such as the personal identification number (PIN) commonly used for ATM access. Passwords are generally short enough to be easily memorized and typed.

Most organizations specify a password policy that sets requirements for the composition and usage of passwords, typically dictating minimum length, required categories (e.g. upper and lower case, numbers, and special characters), prohibited elements (e.g. own name, date of birth, address, telephone number). Some governments have national authentication frameworks that define requirements for user authentication to government services, including requirements for passwords.

Speaking at TechCrunch Disrupt, Google's Heather Adkins says startups should look beyond passwords to secure users and their data. September 10, 2013 12:57 PM PDT New startups looking for ways to keep their users secure should know one thing, a ...
Apple's addition of a fingerprint reader in its latest smartphone, the iPhone 5S, is part of its strategy to double down on device security. iPhone 5S' fingerprint reader, dubbed "Touch ID." (Credit: Apple) Apple has unveiled its smartphone's latest weapon: a fingerprint reader it's calling Touch ID. With its move, Apple could end up making the technology commonplace, as rivals might feel compelled to follow suit. It could be only a matter of time before passwords and passcodes are relegated to yesteryear. In making the iPhone 5S one of the first mainstream smartphones in the Western market to include hardware security, Apple has not only declared war on passwords and weak security, but it has begun to reinvent the notion of device and online identity. The iPhone 5S' fingerprint reader will act as a first line of defense against would-be thieves and hackers -- even intelligence agencies, to a degree -- against identity and content theft, fraud, and surveillance. Apple marketing chief Phil Schiller said at the Tuesday event that the Touch ID fingerprint scanner will be used to access a user's device quicker, as well as preventing unauthorized users from accessing a device's data.

App purchases can also be used with the scanner. The fingerprint data will be stored on the device, and will not be backed up to iCloud, Apple confirmed. Once a feature traditionally aimed at business customers, fingerprint technology has increasingly seen an uptick in consumer devices, notably laptops. With a swipe of a finger, a device can unlock or decrypt documents without the need for remembering passwords. But fingerprint reading technology has been dogged with problems -- namely, that it's not so hard crack -- and that’s something Apple is trying to address. Motorola first launched its Atrix smartphone with fingerprint reading technology, but it was reportedly dropped as consumers complained of errors. In Japan, many phones designed in part as digital wallets for electronic payments also feature biometric security.

This trend is set to continue later this year, following reports of a push in the South Asian market. In doing this, Apple is not only going after consumers, but businesses -- with iPhones and iPads making their way into more companies. Apple demos Touch ID fingerprint reader for iPhone 5S The path Apple took to reach this point officially started long before the company acquired fingerprint and biometrics firm AuthenTec for $356 million in June 2012, with patent applications spanning back as early as 2009. Later, in October 2012, Apple inked a deal with Australian fingerprint security company Microlatch, sparking further rumors that a future iPhone would include fingerprint recognition technology, along with other security features embedded in its iOS software.  Biometric and fingerprint technology has long been criticized by security experts. Biometrics are not an exact science and can be fooled. In some cases, confectionary and Play-Doh can be used as simple and cost-effective ways to skirt fingerprint security. The iPhone 5S' fingerprint reader authenticates a user's identity, preventing unauthorized users -- such as thieves -- from accessing the device's data. (Credit: Apple) Apple's bid to future-proof the iPhone meshes well with existing security shifts and trends such as epidemic levels of phishing, device thefts, and malware.

Its new fingerprint sensor likely means basic password security will take a backseat in favor of an increased focus on personal online identity.

And it could negate the need for two-factor authentication and password-reset questions. The move may help companies like PayPal, whose apps and payment services rely on ensuring the utmost levels of security.  PayPal Chief Information Security Officer Michael Barrett alluded to the iPhone 5S’ upcoming biometric technology at the Interpol conference in May.

He said, according to Macworld, that users pick "poor passwords" and "reuse them everywhere." He added: "That has the effect of reducing the security of their most secure account to the security of the least secure place they visit on the Internet.”  PayPal this year helped launched the Fast Identity Online (FIDO) Alliance, which is aiming to do away with passwords and codes, focusing instead on common and open standards. BlackBerry, Google, and Lenovo, a major player in the Chinese market, are also members of the group. While devices may be replaceable, data loss can be catastrophic for the owner if it lands in the wrong hands. Despite backups and cloud-based storage, this "security" to "identity" shift suggests the iPhone maker recognizes that data is tied to an identity, not an easy-to-crack access code. It comes just months after calls from New York Attorney General Eric Schneiderman for the smartphone industry to make devices and data more secure. Apple execs met with Schneiderman and San Francisco District Attorney George Gascón, but the company was already doubling down on software security. Pre-release versions of iOS 7 already included an "activation lock" feature, which requires users to enter a valid Apple ID to authenticate the device.

This de facto "kill switch" is designed to bolster the device's security at a software level. The possibilities for this technology could change the entire personal security landscape altogether. While a password can be as secure as a four-digit code or lengthy alphanumerics, a fingerprint could become the gateway to Web-based authentication -- something not too uncommon in this day and age where we make payments electronically or wirelessly from our smartphones. The app ecosystem will now be able to tap into a reliable and secure mechanism that can authenticate the person, not the device or the data, as the digital signature behind transactions and decisions.

The possibilities extend as far as in-app purchases, banking, and connecting to virtual workplaces, while at the same time reducing accidental app and game purchases and adding an extra layer against malware. While Barrett remained optimistic that this year more devices will contain identity management and security technology, he was less so about the death of the password. "Passwords won't disappear overnight," he said. However, Apple has fired the starting pistol on what it sees as the future of security and online identity, with a layered and multifaceted idea of how we connect with our devices and how our devices represent the user on an identity level.
Now that it has been revealed that the NSA has the keys to your data centre, analysts are working out new methods to shut them out. One of the plans is to develop corporate datacentres that encrypt data beyond the ability of the NSA to crack it. The idea is to use a new encryption technique that allows data to be stored, transported and even used by applications without giving away any secrets. The concept was presented by security researchers from Denmark and the UK to the European Symposium on Research in Computer Security. It looks at a long-discussed encryption concept called Multi-Party Computation (MPC). MPC allows two parties who have to collaborate on an analysis or computation to do so without revealing their own data to the other party. The idea has been kicking around since 1982. Ways to accomplish it with more than two parties, or with standardised protocols and procedures was considered impractical. The Danish/British team have revamped an MPC protocol nicknamed SPDZ, which uses secret, securely generated keys to distribute a second set of keys that can be used for MPC encryptions. This allows parties on one end of a transaction to verify that they know a piece of information such as a password by offering a different piece of information that could be known only to the other party. The technique could allow secure password-enabled login without requiring users to type in a password or send it across the internet. SPDZ was rejected too slow and cumbersome to be practical, but the revamped version seems to work a lot better. Nigel Smart, professor of cryptology at the University of Bristol streamlined SPDZ by reducing the number of times global MAC keys had to be calculated in order to create pairs of public and private keys for other uses. By cutting down on repetitive tasks, the whole process becomes much faster. It also keeps global MAC keys secret and makes the faster process more secure. According to Slashdot the University of Bristol is already working out ways to commercialise the technique. 
The young hacker, who's real name is Jake Davis, opens up about his time in the cyberattack collective. September 9, 2013 11:04 AM PDT The LulzSec logo.

The top hat and monocle image was chosen at random, according to former member Jake Davis. (Cr...
The known unknowns of the NSA's crypto cracking.    
Microsoft has been touting picture passwords as the next top trend in security, but researchers have discovered that these are not as difficult to crack as the company thinks. Microsoft offered a Picture Gesture Authentication (PGA) system on Windows 8 and many thought it was a wizard idea. But a paper issued to the USENIX Security Conference has proved that some setups are easier to crack than others. The paper, penned by Arizona State University, Delaware State University and GFS Technology researchers with the catchy title "On the Security of Picture Gesture Authentication", said that unique picture password gestures may not be so unique. Using a picture of a person and then three taps as your gestures - with one of them on the eyes - is equivalent of making your text password "password". The researchers also developed an attack framework and attack models which can take out PGA. All you have to do is work out a user's password selection process to crack a considerable portion of collected picture passwords under different settings. One of the problems is that most people choose to upload one of their own photos to setup their picture gesture password, instead of using one that Microsoft provides. Obviously there is a relationship between background pictures and a user's identity, personality or interests with 60.3 percent of them selecting areas on an image where "special objects" are located. Eyes are the most frequently chosen point of interest, followed by nose, hand or finger, jaw and face. While some users chose a landscape photo because it "usually doesn't have any information about who you are," others selected computer games posters or cartoons, and the researchers said that doesn't necessarily protect your privacy. 
Over the past year, the Ministry of Justice has had 164 Blackberry devices lost or stolen. Harrow West Labour MP Gareth Thomas asked the Secretary of State for Justice how many computers, mobiles, Blackberrys, and other pieces of IT equipment were lost and stolen from the department between the 2010-11, 2011-12, and 2012-13 periods - and if he will make a statement. Helen Grant, Conservative, of Maidstone and The Weald, replied by saying all laptops and Blackberrys are encrypted and protected with a complex password, and any that are registered as lost or stolen are blocked remotely, "making it impossible for them to be used". 13 PCs or laptops were lost or stolen between 2012 and now, while 57 mobile phones also went missing. 164 pieces of of IT equipment - such as RSA/RAS secure ID tokens, Becrypt encryption tokens and removable media - were lost between 2012 and now. Grant defended the losses by saying the Ministry adopts government security policy framework requirements to protect its assets, securely. "Clear processes are in place for notification of any loss, including reporting it to the police," Grant said. "The compliance of staff with policy and guidance is a line management responsibility, and in the event of any breach, disciplinary action may be taken". Specific sanction, Grant said, is applied to the removal of unencrypted laptops or other official IT equipment. 
The government plans to go ahead with a controversial database of patient records, backed by a £1bn investment in IT over three years, despite catastrophic failures with similar NHS IT projects in the past. In theory, a single patient record database will ease pressure on A&E departments by cutting paperwork and making hospitals safer with patient information easily accessible to medical staff. The system will also enable patients to manage repeat prescriptions, book GP appointments and access their own GP record online. Health secretary Jeremy Hunt claims patients are dying because they are being prescribed the wrong drugs, but new technology can reduce these errors by half, according to the Guardian. “The appalling condition of much of the current IT infrastructure is not just a huge burden on NHS finances. It threatens patient safety, frustrates staff and is an unnecessary pressure on A&E departments,” Hunt wrote in a blog post. Hospitals will bid for cash from a £500m technology fund to implement the scheme, but will be expected to match the government’s contribution. Hunt believes technology is the key to improving health services and that past IT failures in the NHS must not prevent patients from seeing the benefits of technology that is transforming other services. Labour's failed attempt to install a universal IT system in the NHS had the right idea but wrong execution, Hunt told ITV news. Labour’s £13bn NHS computer scheme was “a gargantuan, one-size-fits-all solution that proved as unworkable as it was costly”, Hunt wrote in his blog post. “Today’s announcement builds on our radically different vision – innovation driven by local healthcare providers working in the interest of patients. Individual providers will bid for our support in driving these local solutions,” he wrote. Privacy concerns Privacy campaigners have warned that the scheme will have a negative effect on the relationship between doctors and patients. They argue that women suffering from domestic abuse, for example, will not tell their GPs out of fear that their partners will coerce them to reveal the password to their patient records; or that low-income mothers will refuse to talk to GPs about post-natal depression because of fears that social services will find out. In response to these concerns, the Department of Health (DoH) said it is important health professionals maintain accurate records, so patients get the right treatment. “The NHS Constitution makes clear that patients have the right to request that confidential information – in whatever form it is kept – is not used beyond their own care," said the DoH. "Any electronic patient records system adopted by hospitals must be secure and comply with NHS England's requirement for modern, safe standards of record-keeping." Tim Kelsey, national director for patients and information at NHS England, said a single patient record database means patients will not have to repeat themselves each time they speak to a different health care professional, according to ITV news.  “This extra funding will help us better meet the overwhelming demand from the Safer Hospitals, Safer Wards fund announced in May this year. It's great news for the NHS and great news for patients,” said Kelsey. Chief executive of the NHS Confederation Mike Farrar said the cash injection to upgrade NHS IT systems should free up staff so they can concentrate more on caring for patients if it is invested in the right tools and technology. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com
Data theft from UK companies by employees is at a record high, according to law firm EMW. The number of High Court cases relating to the theft of confidential company information more than doubled from 2010 to 2012, the firm told the Telegraph. In the past year, most cases involved small companies and employees who were leaving the company. Research from EMW shows that data theft is costing small UK companies millions of pounds, with the average legal costs alone at around £30,000. Typically, disgruntled employees are making copies of company databases and other business-critical information to take to new employers, to set up their own businesses, or to sell to marketing firms. Data theft has become extremely easy as employees are able to copy vast quantities of data within seconds to cloud-based storage services, which can be accessed later from outside the company. Remote access to company systems is also enabling disgruntled employees to access sensitive information and copy it to their home computers. Smaller companies tend to be more vulnerable to such data theft due to the lack of technical controls and security policies more commonly in use by larger companies. The most commonly affected small companies are financial services firms, estate agents and recruitment firms. In April, a survey by OnePoll for security company LogRhythm revealed that 75% of UK employees polled said they had no systems to prevent employees gaining unauthorised access to company data. Some 80% said they did not believe any of their employees would view or steal confidential information, yet a poll of employees showed 23% had accessed or taken confidential data from their workplace. One in ten employees admitted they access confidential data regularly. The employers’ survey showed a third do not believe there is a need for systems to protect data from employees, and nearly two-thirds do not regularly change passwords to stop ex-employees accessing sites or documents. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com
The Syrian hacktivist attack on the New York Times website highlights urgent need for registry locking, says communications and analysis firm Neustar. The site was unavailable after the Syrian Electronic Army (SEA) that supports Syrian president Bashar al-Assad was able to access the domain name system (DNS) settings for the site. The SEA breached the NYT’s domain name registrar Melbourne IT and changed the DNS record to point to systems in Syria and Russia. Melbourne IT blamed the NYT outage on one of its resellers, whose account was compromised. Setting up a registry lock provides a relatively easy and inexpensive way to mitigate risk of unauthorised DNS changes, said Rodney Joffe, senior technologist at Neustar. The bad thing about being able to access DNS setting is that attackers can redirect visitors to malicious sites, he told Computer Weekly. This can have a huge financial impact ranging from hundreds of thousands to millions of dollars through lost business, but it can also cause brand damage by association with exposure to malware, said Joffe. Applying a registry lock provides protection by requiring any changes to a domain name server to be verified and authenticated by the website owners. A registry lock provides protection against DNS tampering, even if an attacker is in possession of a username and password of if a domain name registrar is compromised as happened in the NYT attack. Twitter's best practice commended Twitter was also targeted by the SEA, but impact was minimal because the attackers were unable to change DNS settings because the microblogging site has a registry lock in place. According to Joffe, all website owners should follow Twitter’s example in line with industry best practices published by the internet’s main governance body Icann. Security firm Rapid7 notes that in the immediate aftermath of the SEA attack on the NYT site, several unlocked domains at Melbourne IT rushed to put registry locks in place, including Starbucks. Failure to put registry locks in place puts any company, its customers and its brand at risk, and yet this threat can be blocked for under $100, said Joffe. “Considering the high risk of attack and the low cost of protection, it is mind boggling that relatively few large companies have registry locks in place,” he said. According to Rapid7, around 90 company websites hosted by Melbourne IT did not have registry locks in place at the time of the SEA attack, including adobe.com, ibm.com, mcafee.com, and royalmail.com. Neustar has seen an increasing number of attempts by attackers to access domain name setting since May, but the targets have not included high-profile domain name until the past two to three weeks. Changing landscape of threats It is just another evolution in the threat landscape that companies will have to bear in mind when updating their information security strategies, said Joffe. Companies will have to adjust their defence strategies, he said, just as they have done in the past three years as they have moved from defence only to include elements of mitigation. “They have realised that no matter how hard they worked and how much effort they put in into their infrastructure, they had to prepare for attacks,” said Joffe. The threat landscape has demanded a shift from building higher thicker walls to what can be done when an attacker breaches those defences, he said. Attackers are also beginning to go after the weakest links in the supply chain, which means that information security strategies need to extend beyond an organisation to its business partners. Kenneth Geers, senior global threat analyst at FireEye said the method of attack on the NYT may indicate that the SEA has begun going after media organisations’ supply chains. “Rather than attacking a large firm directly, the SEA is opting to identify weaker links between the firm and other partnering organisations that they use for business operations. “This is because the victim firm may not have as much control over the operational security employed by the partners, so the partners are an easier target to focus on,” he said. Geers said it is likely that this type of attack will continue as long as supply chain security remains weak. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com
Fraud committed using personal details obtained by scammers by voice email, voice over IP, landline and mobile calls is costing UK citizens at least £7m a year. Victims are duped into revealing personal and financial information or making payments to fraudsters through phishing attacks using voice communications known as ‘vishing’. Around a quarter of UK adults were victims of vishing in the past financial year with 43% of victims over the age of 50, according to a report by Financial Fraud Action UK (FFA UK). Four in ten people admitted they found it challenging to tell the difference between a genuine and fraudulent call, according to an FFA UK survey of 2,000 UK adults. Almost a third of the UK population received at least 10 cold calls a, with 41% suspecting that a call was fraudulent or suspicious. Vishing typically involves a fraudster calling a victim and posing as someone from a bank fraud team, the police, or another legitimate organisation such as an internet service provider. They attempt to obtain financial information which often includes credit/debit card details, bank account details and personal information such as full name, date of birth or address. This information is then used by the fraudster to gain access to their victim’s finances. Fraudsters can also deceive victims into transferring money to them. Fraudsters can use personal information gleaned from Vishing in a number of ways including to access a victim’s bank account, make fraudulent purchases and commit identity theft. FFA UK said everyone should wary of any unsolicited phone calls and should never disclose bank personal identification numbers or online banking passwords to anyone. It said any suspicious calls should be terminated and warned that criminals typically have some basic information about their intended victims to trick them to disclose more. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com
Snooping on a person or company is not new, it is just that the internet age has brought an added dimension: the cyber thief. The old techniques of safeguarding one’s possessions - and that includes information and intellectual property (IP) - are still valid.  Examples include properly vetting new staff by taking up references, checking out the CV etc; ensuring staff are happy and cared for as disgruntled employees pose one of the bigger threats in this computer and internet age; escorting visitors; operating a clear-desk policy for unattended desks; ensuring the physical security of sites, building, offices, storage facilities (including filing cabinets etc) is fit for purpose, properly maintained and used appropriately. But these seemingly "motherhood and apple pie" techniques have their parallel in the cyber world. The clear-desk policy translates to powering off a PC outside of office hours (where practical) and having a password-protected screen lock that kicks in after a reasonably short period of inactivity (say, five minutes). Physical security translates to electronic security, and that is where many companies are not doing a sufficiently good job, mainly out of ignorance.

The computer, like the car, needs to be maintained and used properly to get the best out of it. So, in the world of electronic security, what are we looking at? Starting at the internet and working our way in, we have the firewall. Is one installed? Is it running the latest version of its software? And is it configured appropriately and maintained? For example, was the rule set installed for a test removed, and are the rule sets as minimalist as possible and consistent with being able to operate the company? Associated with the firewall we may have a demilitarised zone (DMZ) where email gateways and web servers would be installed.

Are any servers on the DMZ security patched to the latest level? Have unused services been removed? If you do not use FTP, then none of the DMZ servers should have that application.

This is a case of removing the unused application or service, not merely disabling it.  While on the firewall and DMZ it is fair to say that any service that is offered to the internet should be from servers running on the DMZ and not from servers running within the main company network. Moving on and into the company's network, all servers and network infrastructure devices such as Ethernet switches should be running a supported version of software and be security patched up to date.  Servers should also be running antivirus or similar anti-malware software and that should likewise be maintained fully up to date and these statements equally apply to the servers and devices in the DMZ and of course to PCs connected to the network - remember that Windows XP, like Server 2003, is close to its end of life. Modern operating systems have firewall capabilities and these should be used, not to replace the internet firewall but to supplement it and add a defence-in-depth dimension.  All users should have a unique logon to the network and for people with system administration duties, they should have two unique logons - one for “normal” users for day-to-day tasks, and one with higher privilege for the actual system administration work. Passwords should be system enforced for complexity and lifetime, for example: eight printable characters, 90-days life, and cannot reuse recent passwords. The whole issue of bring your own device, use of personal USB memory sticks and so on, is a whole separate subject. Peter Wenham is a committee member of the BCS Security Forum strategic panel and director of information assurance consultancy Trusted Management. Email Alerts Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox. By submitting you agree to receive email from TechTarget and its partners.

If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy Read More Related content from ComputerWeekly.com This was first published in August 2013