Thursday, August 7, 2014


I enjoy Coyote Blog.  Today, you should read his blog. Srlsy! Don't make me steal all his posts!


Buck said...

Good advice there but I wonder exactly how many people will follow it, including myself. Changing passwords, as noted at the link, is a seriously problematic and time consuming activity.

Ex Bootneck said...

Leave the posts where they are, I have just perused 'Coyote.'

I agree with Buck in that Coyote offers great advice, unfortunately it is far too often ignored. Just recently I attended a security seminar where percentages and statistics were fired off like fire crackers at Chinese new year; eventually one just get's fed up watching and listening to it all. It was only when a guest speaker stood up and chatted about his self written software product that was capable of data capture, and the blocking of the same, that I came back from the land of nod.

Imagine if you will a volunteer in the small audience who agreed to enter his personal password into his laptop, which as it turned out was a 26 digit mix of upper and lower case, special characters, and numbers (who in the hell does that? A Star Trek geek as it happens!) After logging in the speaker stepped forward and viewed his own laptop upon which he 'told' the volunteer "You use a 26 digit password consisting of a blah blah mixture." This was followed by a nervous nod, "May I mention the website you entered?" Another nervous nod followed. "Starfleet International!" Now a very nervous volunteer looked extremely nervous until the speaker said "Thank you for that, you may want to change your password later." I looked at my mate who I have known for 20 years and said "No wonder you kept that a bloody secret." Which cost him a pint and a pub lunch afterwards.

Needless to say the guest speaker stole the day, and eventually earned the financial backing he required to further exploit his software program.

Some stats (wake up there!)
*Consumers are experiencing password fatigue. The average user has 26 password-protected accounts but typically uses only five different passwords.
*Consumers are resistant to regularly updating their passwords. A Symantec survey indicated that 38 percent of people would rather clean a toilet than come up with a new password. (Depends whose toilet were talking about, the new buxom barmaid at the Fiddler's Arm's Pub would get a positive review ;-))
*The number one cause of breaches and compromised records in large organisations is stolen credentials. Symantec research asserts that 80 percent of data breaches could have been eliminated with the use of two-factor authentication.
*In 2013, the two most common passwords were: 1) 123456 and 2) password.
*The vast majority of serving/ex serving personnel use their official service number as a password.
*Cat owners tend to use their cats name as a password, more so than dog owners.

There are more but I hear snoring at the back of the room... Yours Aye.

HMS Defiant said...

I don't do it as often as I should but I have another lapse that I live with. 95% of the places that want you to use a password to log in with are a joke. Banks, sites with credit card data, stock accounts, etc...they need to be protected but there is really no good reason to require a password to log onto public websites where all you do is self identify. I routinely forget the unimportant ones and all of them email me my new password when I tell them I've lost my old password.

HMS Defiant said...

Buck will like this one. When EDS brought us the NMCI it came with a strict password requirement. I'd ask why and they'd assure me that it was for security and I'd ask, what security? You just outsourced 100% of our sysadmins to India, any of whom can log on using our stored information without out assistance. We exchanged mutual sneers.

I remember going to one of those little security conferences where a Ph.D was talking about actually approaching the NSA and asking them if he could let his little "Intelligent Agents" run around behind their firewalls in order to see how much information he could get out and thus show them how vulnerable they were to hacking. Ah, if he had only known that all it took to hack the NSA was for somebody like Snowden to volunteer to clean their toilets in exchange for their passwords..... :)

They didn't get it.

Buck said...

Buck will like this one.

True story: I did a lil TDY to Herndon, VA sometime in the late '80s to help our (EDS) nascent Military Services Division with a proposal they were writing in response to an RFP released by one of the services. The job wasn't a long one... about a week or two... and at the end one of the senior managers at MSD asked if I'd be interested in transferring to Herndon and joining MSD (remember: they were ramping up at the time). My reply was "Not only no, but HELL NO."

That was prolly the best damned decision I ever made during my civilian career. Otherwise I might have been part of that NMCI debacle.

HMS Defiant said...

I saw that as writing in letters of fire ten miles high. DONT GO THERE. Kind of glad I was drafted after we won the Greek Olympic security contract. Sure, I had to work again at SPAWAR but all things considered, while I may have drawn up the surveiiance BOM fot the company before I was transferred, it wasn't me that continually wrote down the planned BOM until it was truly worthless. Since I told them I wouldn't do it, I'm grateful