Lessons from the recent RSA security conference

Topic

New Reply

	ON SECURITY[/size][/font] Lessons from the recent RSA security conference[/size]
	By Michael Lasky The ongoing fight against malware infections is waged on many fronts, as was made clear at this year’s RSA conference, held last month in San Francisco, California. But the best practices for protecting ourselves from online treat remains much the same: maintain strong passwords and be careful what you click.

---

The full text of this column is posted at WindowsSecrets.com/on-security/lessons-from-the-recent-rsa-security-conference/ (paid content, opens in a new window/tab).

Columnists typically cannot reply to comments here, but do incorporate the best tips into future columns.[/td]

[/tr][/tbl]

Reply | Quote

Replies

Ideally, you should change critical passwords every three months.

But no one can ever explain why.

Is it to thwart the hacker who’s been trying to crack my password for 2 months 29 days?

Reply | Quote

I think its for the case where hacker has obtained your password from someplace like a website Security breach unbeknownst to you.

Jerry

Reply | Quote

I think its for the case where hacker has obtained your password from someplace like a website Security breach unbeknownst to you.

… and has chosen not to use it for up to three months?

Reply | Quote

:flee: Let me barge in here with both arms flailing!
The whole change your password every xxxx for a corporate policy seems to me to be a bit counter productive, add a 15 digit minimum and you get scribbles under the keyboard. In my case I had a perfectly service able system to make an 13 character password to log onto an internal company computer. After a breach in the system via a VPN account (to which the change password scheme made better address) we had to make a 15 character password with at least 1 cap, 1 lowercase, 1 digit and 1 special. For last several months logging in I used 1111111111!Qqqq then when forced to change I used a different digit . Followed the company policy. Easy enough to remember but hardly as secure as my own system.

Just because you don't know where you are going doesn't mean any road will get you there.

Reply | Quote

The whole change your password every xxxx for a corporate policy seems to me to be a bit counter productive, add a 15 digit minimum and you get scribbles under the keyboard.

Agreed; extremely counter-productive.

The only possible justification I’ve ever been able to recognize is that in some situations where a group of staff perform similar functions it can discourage password sharing.

Otherwise, when someone forgets their password it’s too tempting to borrow their colleague’s rather than bother to get it reset which can be inconvenient.

With forced password changes every one or three months, knowing your friend’s password for emergencies becomes more difficult.

For regular users and personal use, I think it achieves absolutely nothing (but auditors like it as an item to flag).

Reply | Quote

They could be using it at any time without your knowledge. I don’t use this rule myself. I’m just speculating on why its recommended by some.

Jerry

Reply | Quote

… as they could be on day one of your new password.

Reply | Quote

Not if they got the password from a security breach. Nothing is perfect.

Jerry

Reply | Quote

Something rules out a security breach after you change a password? :confused:

Reply | Quote

I’m referring to the several computer breach’s at places like Target where User IDs and passwords have been stolen. Its not a perfect defense but if your password is changed (even though you may not be aware of the breach) before its sold, it may block access to your account(s).

Jerry

Reply | Quote

I think the most important rule right now, about online passwords, is never to use the same password for a different website. Ever. That makes breaches rather irrelevant, in terms of accessing other accounts from the same user.

Reply | Quote

I think the most important rule right now, about online passwords, is never to use the same password for a different website. Ever. That makes breaches rather irrelevant, in terms of accessing other accounts from the same user.

I fully agree with this. This discussion about changing passwords on a regular basis is rather pointless. I was just trying to point out a rational for it. It doesn’t cover many cases and is just a tiny extra layer of protection that I personally don’t use. I’m done commenting on it.

Jerry

Reply | Quote

In the Target data breach, the Hackers penetrated Target’s servers and the breach was repaired. The User Ids and passwords remain for sale today. There are several other cases.

Jerry

Reply | Quote

Brian Krebs’ blog section on data breaches is worth reading.

Reply | Quote

Does any one remember that early last year RSA “GAVE” their latest 4096 code to the NSA???

If you think that your encrypted messages are unbreakable–think again!!!!

Reply | Quote

it can discourage password sharing.

Ok I can see that. Bio metrics on the way ~~~~~~~~~~~~~

Just because you don't know where you are going doesn't mean any road will get you there.

Reply | Quote