Apple blows chunks

like we often say about DoD IT cYbErSeCurITY: "It's so secure, NOBODY can get in!" :D Currently we sit here, unable to review debrief HUD tapes because the peripherals (DTC USB readers) are blacklisted by the nonners on the non-flying side of base. Winning. Heck, one of my subordinates spent 25 minutes trying to get them to open up the port to the printer. A printer... So we hear ya.
In their (slight) defense printers can be an attack surface. . .like a lot of consumer junk, too. We used to joke the the "S" in "IOT" stood for "security".
 
I guess that depends. I consider my house (relatively) secure.

Security is all about protecting against risk. If your house is breached (which is probably easier than you realize) and the notebook stolen, you now don’t have your own passwords, and someone has access to all of your accounts. If your house floods, or burns, or the notebook gets misplaced, you lose access to your accounts. If you use your passwords outside of your house, the risk increases. There is nothing secure about storing unencrypted passwords in a notebook (or, certainly, in plaintext on your computer.) I suppose you could argue that all of your passwords are materially complex and unique, you encode them in a way only you know, and you store them in a flood and fireproof safe which can't easily be removed from your house, but I suspect that none of those things are true for most people.

Password managers don’t completely eliminate risk, but properly used, they significantly reduce it while providing significant convenience. In addition to protecting passwords with encryption and MFA (including, optionally, a physical token), they can generate highly complex and strong passwords which most people would not generate on their own. There are other benefits to a password manager, such as breach detection, automated password cycling, passkey support, encrypted credit card and note storage, and syncing across devices, which a paper notebook does not provide.
 
Last edited:
Not to nit pick, but information security is about managing risk, not protecting against it.

In an office, which is often a shared or open environment, writing down passwords is discouraged for a number of reasons. Part of that is security, part of that is compliance which is part of security, and part of that is just accountability. But at home, writing down passwords isn't necessarily a bad plan.

While there are some theoretical advantages in using some password managers, there are also added risks of using any such system. While the risks of using personal cloud based storage or downloaded apps for passwords may not be high enough to be a concern for most people, I'm not one to recommend them unless the convenience and availability override any other risks.

Now that's just for personal use. If you have a business where you maintain a number of on-prem servers, then an on-prem PAM (privileged access management), still not cloud based, system might make sense. That's when all those fancy features make sense, for the admin accounts - not the user accounts - of your IT systems. But if you're operating at that scale I hope you're not getting your IT information from a pilot's forum.

I know, I know, what I'm saying isn't trendy, and it doesn't support all the noise about what a great idea it is to use a password management system. Or personal VPN. Or whatever other magic hair growing formula is out there. (Except FIPS 140 USB drives. Those actually are pretty cool.)
 
Security is all about protecting against risk. If your house is breached (which is probably easier than you realize) and the notebook stolen, you now don’t have your own passwords, and someone has access to all of your accounts. If your house floods, or burns, or the notebook gets misplaced, you lose access to your accounts. If you use your passwords outside of your house, the risk increases. There is nothing secure about storing unencrypted passwords in a notebook (or, certainly, in plaintext on your computer.) I suppose you could argue that all of your passwords are materially complex and unique, you encode them in a way only you know, and you store them in a flood and fireproof safe which can't easily be removed from your house, but I suspect that none of those things are true for most people.

Password managers don’t completely eliminate risk, but properly used, they significantly reduce it while providing significant convenience. In addition to protecting passwords with encryption and MFA (including, optionally, a physical token), they can generate highly complex and strong passwords which most people would not generate on their own. There are other benefits to a password manager, such as breach detection, automated password cycling, passkey support, encrypted credit card and note storage, and syncing across devices, which a paper notebook does not provide.

Go on! Go on! You're on a roll!
 
managing risk, which some don't understand includes consideration of the cost of protection vs the cost of losing the data (corrupted or copied or ...)

Kind of like aircraft insurance, if the cost of hull insurance exceeds the cost of the hull, then it would be kind of, ahem, dumb to have hull insurance.
 
MFA with SMS or email is indeed terrible, and barely more secure than not having at all, but how is MFA with a TOTP requiring anyone to give out more personal data? It’s as anonymous as it is possible to be.

I personally use the best MFA that the service provides. If a service allows for TOTPs I use that and disable SMS/email fallback if possible. Also I always store recovery codes when possible and use that for password reset instead of email.

Financial institutions are the worst offenders of only using crappy SMS based MFA. One of the most sensitive accounts we regularly have and the entire industry is a decade or more behind in terms of security practices.
 
It forces the user to give out a mobile number that they should have zero interest in sharing. This in and of itself is a major security breach.
I literally said using a TOTP, not SMS, in the paragraph you quoted. How does using a TOTP a la Google Authenticator (pick your favorite app) require giving out a mobile number? It doesn’t.
 
Forcing complex passwords or sending a code to a phone does nothing to mitigate the hacking risk
Password rules as implemented generally are not sufficient to avoid good dictionary attacks, but having long, random passwords as provided by password managers absolutely does reduce risk. Forcing humans to come up with passwords on their own with no system encourages 2 things:

1) short, native language passwords that are easy to remember. This makes them incredibly susceptible to dictionary attack or basic social engineering attacks (not hard to figure out your spouse’s birthday).

2) password reuse. This is the even more problematic one as now your security is only as good as that of the weakest website or service you used that password with. Whenever any service gets its passwords leaked because they have crap security and authentication implementation (the service shouldn’t be able to even figure out your password in clear text, not to mention have it leaked) those leaked passwords are instantly tried on dozens of high value services. If you reuse your password now you have multiple accounts compromised from a single data breach.

The best password based security is to use long, complex, and random passwords that are used for one thing and one thing only. Passwords generally aren’t a good solution but if we are using them there are definitely better and worse practices.
 
The best password based security is to use long, complex, and random passwords that are used for one thing and one thing only. Passwords generally aren’t a good solution but if we are using them there are definitely better and worse practices.

I disagree.
 
It's not like it's impossible to make copy of portions of the notebook...
 
MFA in general is terrible, at least the way it is generally implemented.

In practice, it requires each of us to provide an ever-expanding set of personal data to each and every company we do business with. This does not reduce our individual risk, it increases it.

A competent hacker doesn't go after one person. They go after databases that have info on large numbers of people. The more personal info those databases have, the more valuable that target is to a hacker.

Forcing complex passwords or sending a code to a phone does nothing to mitigate the hacking risk, and just adds more data that can be hacked to enable ID theft from other platforms using the same personal data to implement MFA.
For most consumer implementations, I agree completely. Because it's being implemented for lowest possible cost for the provider, and because it's almost always done solely to meet compliance requirements.

A decent way to do it that doesn't require phone numbers or personal data is a combination of a smart card, or hardware or software token, and a short PIN. That combination is pretty common for large businesses, but it's generally considered too expensive for anyone to want to use it for consumer applications. So nobody will until it's mandated by someone.

Privacy is a good point. We have very few protections around that, and every proposal I've seen doesn't address the root problem. The problem is that no one seems to understand that personal data is owned by the individual, and collecting and selling that data without an agreement to compensate the individual for that use is really theft.

Or in other words, if someone stalks a single person, in many states it's a crime. But if a company stalks 100 million people, and then sells access to that data, it's a business model. And there are at least a dozen large companies doing that very thing. Why we permit it is beyond my understanding, except for greed.
 
Account should be ready in 23 more hours…
 
I think you maybe stood in the "abuse" line instead of the "argument" line.
 
I use a three part password: a number component derived from the N number of the plane I soloed in (but not that plane text number (yes I misspelled plain on purpose, this being POA and all), a six letter alpha portion, upper and lower case mixed. These two parts remain constant across all passwords, and a three or four alpha portion that is unique to the target website. Then these three components are presented in different orders.

Yes it is crackable with enough computer power. But it is easy enough for me to remember, and if that fails: With a few tries I can reconstruct it.

-Skip
 
It's not a good idea to tell people how you construct your passwords.
Depends on the method. For example, I wouldn't mind telling people that I either use a set of dice or a background radiation measurement to generate a bunch of entropy, encode the result using base64 and then truncate to fit.
 
7eb58a0e7caebe2e8afb8b07cc26f8f6.jpg



Sent from my iPhone using Tapatalk
 
Back
Top