Passwords and Internet security

Discussion in 'Living Room' started by Handyandy, 13th Jul, 2019.

Join Australia's most dynamic and respected property investment community
  1. TSK

    TSK Well-Known Member

    Joined:
    14th Apr, 2018
    Posts:
    625
    Location:
    VIC
    Pass the hash is not likely to be a threat for most internet users, session stealing is and this doesn't care about your MFA. Nist has moved away from the practice of scheduled password changes because it doesn't actually make them better - just use a password manager and secure it correctly and practice safe internet usage practices e.g keep software patched, use MFA, ensure you're using a site you trust etc etc.

    Pet peeve: you don't decrypt password hashes, a hash is a one way process, you can guess the password and match it to the hash but you can't take the hash and reverse it using a key.
     
    PurpleTurtle and Simon Hampel like this.
  2. Simon Hampel

    Simon Hampel Founder Staff Member

    Joined:
    3rd Jun, 2015
    Posts:
    12,393
    Location:
    Sydney
    Reference:

    NIST Special Publication 800-63B

    5.1.1.2 Memorized Secret Verifiers

    Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated characters) for memorized secrets. Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.
    FAQ: NIST SP 800-63 Digital Identity Guidelines-FAQ

    Q-B5: Is password expiration no longer recommended?

    A-B5: SP 800-63B Section 5.1.1.2 paragraph 9 states:

    “Verifiers SHOULD NOT require memorized secrets to be changed arbitrarily (e.g., periodically). However, verifiers SHALL force a change if there is evidence of compromise of the authenticator.”

    Users tend to choose weaker memorized secrets when they know that they will have to change them in the near future. When those changes do occur, they often select a secret that is similar to their old memorized secret by applying a set of common transformations such as increasing a number in the password. This practice provides a false sense of security if any of the previous secrets has been compromised since attackers can apply these same common transformations. But if there is evidence that the memorized secret has been compromised, such as by a breach of the verifier’s hashed password database or observed fraudulent activity, subscribers should be required to change their memorized secrets. However, this event-based change should occur rarely, so that they are less motivated to choose a weak secret with the knowledge that it will only be used for a limited period of time.​
     
    PurpleTurtle likes this.
  3. TSK

    TSK Well-Known Member

    Joined:
    14th Apr, 2018
    Posts:
    625
    Location:
    VIC
    Yeah. Detection of compromise is something soc should be able to identify. It will take awhile for orgs to move to this, fwiw AGISM has different suggestions.
     
  4. TSK

    TSK Well-Known Member

    Joined:
    14th Apr, 2018
    Posts:
    625
    Location:
    VIC
    Reverse proxy of trusted site + social engineering = MFA compromised. E.g evilnginx. Defence in depth, rather than some magical technology cure e.g education, patched systems, network segmentation and segregation, config hardening, end point protection software etc etc.

    FYI, download Nessus and test your own infra and configs. Free version does 16 ips which should be fine for home and some smb/e.
     
  5. bunkai

    bunkai Well-Known Member

    Joined:
    26th Jun, 2015
    Posts:
    858
    Location:
    Sydney
    I think the point was that it was unwise to assume the passwords can't be derived from their hash, if indeed they are actually hashed.
     
  6. QldKoolies

    QldKoolies Well-Known Member

    Joined:
    28th Sep, 2018
    Posts:
    255
    Location:
    Brisbane
    All good points. This space changes quickly. I think staying on top of the guidelines for infosec policy makers is a good idea (guidelines are often for the betterment of a broader uptake of secure practices). Nevertheless, specific advice for your average joe based on the premise that they are an average joe and not a high value target is to avoid them being caught in mass ransom or credential trawling leading to identity theft. Three vulnerabilities I would put forward conceptually for the individual punter is 1. Supply 2. System 3. Access. Use licensed reputable software, patch your systems, use MFA that relies on a secure device (not email) and use 12 character passwords that are changed monthly for single authentications into any area that holds your personal or financial information. Anything unimportant forget it, dont complicate it, its compromised and it shouldn’t be able to hurt you because you applied the previous rule. We can accept that if a site that requires a login holds no important information they wont spend resources on security.
    I get the NIST and ISM controls but those are for enforcing policy in enterprise systems. For the punter who reuses passwords across many sites and won’t know his credentials were stolen he can choose to protect himself by following simple password management processes. I doubt we’re all checking https://haveibeenpwned.com/ each month. When your supported by a SOC you can wait until you need to take action... but for everyone else...