Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: 1 [2] 3 4

Author Topic: browsers offering to save login details - how to properly stop this  (Read 19935 times)

chenks

  • Kitizen
  • ****
  • Posts: 1106
Re: browsers offering to save login details - how to properly stop this
« Reply #15 on: March 01, 2019, 11:18:51 AM »

luckily i have a captive audience and the users have no choice but to use the system.
30 day password resets is a management request that is to be enforced.
Logged

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4300
Re: browsers offering to save login details - how to properly stop this
« Reply #16 on: March 01, 2019, 01:23:01 PM »

I appreciate what upper management can be like  :wall:, but that stance could be rather short sighted, resulting in passwords being written down.
Logged
Formerly restrained by ECI and ali,  now surfing along at 390/36  ;D

chenks

  • Kitizen
  • ****
  • Posts: 1106
Re: browsers offering to save login details - how to properly stop this
« Reply #17 on: March 01, 2019, 01:26:22 PM »

I appreciate what upper management can be like  :wall:, but that stance could be rather short sighted, resulting in passwords being written down.

passwords being written down won't happen (or shouldn't happen), as the users aren't allowed paper/notebooks etc.
mobile phones also not permitted.
Logged

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: browsers offering to save login details - how to properly stop this
« Reply #18 on: March 01, 2019, 06:36:27 PM »

does your company allow management to be challenged?
Logged

chenks

  • Kitizen
  • ****
  • Posts: 1106
Re: browsers offering to save login details - how to properly stop this
« Reply #19 on: March 01, 2019, 07:37:28 PM »

does your company allow management to be challenged?

management as in managing director/owner.
their business, their rules.
plus we deal with customers personal details, so data access restriction is already tight.

i could easily offer my opinion on any proposal and it would be taken on board, but i agree with the implementation so nothing to challenge.
Logged

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369
Re: browsers offering to save login details - how to properly stop this
« Reply #20 on: March 01, 2019, 08:41:07 PM »

Whilst accepting that Chenks has to do as his employer tells him, and in any case he agrees with it, my main concern would be...

If you impose arduous password policies, and stop people from writing them down, then people will have no option but to choose easily remembered passwords.   Such passwords can still long and complex, with special charcters etc.   They might be based on names of relatives or pets, or variations on their birthdays, phone numbers etc.  Requiring a new password every month is easily overcome by just appending “0119”, “0219”, “0319” etc.  That’s all stuff that is quite easy for a serious hacker to work out through social media.  Probably a lot easier than “mynameischris”, at least if use a ‘4’ for the ‘a’, a ‘1’ for the ‘i’, and your name’s not Chris.

As a customer, I’d not be happy to think my data was in the hands of a company that imposed these policies on staff.   But then, that is related to why I still refuse to use any form of online banking.  Banks in particular seem to be obsessed with tunnel vision of “ticking all the boxes” for security, whilst being somewhat oblivious to the obvious flaws in many such strategies.
« Last Edit: March 01, 2019, 08:45:09 PM by sevenlayermuddle »
Logged

chenks

  • Kitizen
  • ****
  • Posts: 1106
Re: browsers offering to save login details - how to properly stop this
« Reply #21 on: March 01, 2019, 09:21:09 PM »

If you impose arduous password policies, and stop people from writing them down, then people will have no option but to choose easily remembered passwords.   Such passwords can still long and complex, with special charcters etc.   They might be based on names of relatives or pets, or variations on their birthdays, phone numbers etc.  Requiring a new password every month is easily overcome by just appending “0119”, “0219”, “0319” etc.  That’s all stuff that is quite easy for a serious hacker to work out through social media.  Probably a lot easier than “mynameischris”, at least if use a ‘4’ for the ‘a’, a ‘1’ for the ‘i’, and your name’s not Chris.

password policies can easy be applied to stop those types of passwords being used. office365 currently employs such a policy where a password isn't allowed that is deemed "weak" based on various factors (ie it won't let you just change a 1 to a 2 at the end of a password).

As a customer, I’d not be happy to think my data was in the hands of a company that imposed these policies on staff.   But then, that is related to why I still refuse to use any form of online banking.  Banks in particular seem to be obsessed with tunnel vision of “ticking all the boxes” for security, whilst being somewhat oblivious to the obvious flaws in many such strategies.

as a customer you'd want to ensure systems were properly secure, and that means good passwords.
would you be happy to know your data was behind a system where the operator could enter a password once and never have to type it in again?
that's not "secure" in my eyes. it's essentially the equivalent of putting your bank card into a cash machine, entering you code and it saying "do you want me to remember this?" and you saying yes, so every time you return to that cash machine it doesn't ask you for your pin.
Logged

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4300
Re: browsers offering to save login details - how to properly stop this
« Reply #22 on: March 01, 2019, 09:27:37 PM »

i haven't forgotten a password yet, and my expectation of anyone using a system of mine to use a password they won't forget either (that matches the complexity that the system enforces ... ie it won't let them use "mynameischris").
if that results in them being frustrated then good, it's making them think about security, which can only be a good thing.

I've just checked my password manager, I have 356 passwords stored, it would take someone truly exceptional to remember 356 (that's excluding ones on my works system) unique complex passwords of 12 characters or more.

passwords being written down won't happen (or shouldn't happen), as the users aren't allowed paper/notebooks etc.
mobile phones also not permitted.

Are a paperless office, yours must be the only one  ;) People are resourceful, they'll find ways or use something simple, like a password reset option, I wonder how many passwords will be reset once you stop the browser from saving them???
« Last Edit: March 01, 2019, 09:31:11 PM by Ronski »
Logged
Formerly restrained by ECI and ali,  now surfing along at 390/36  ;D

chenks

  • Kitizen
  • ****
  • Posts: 1106
Re: browsers offering to save login details - how to properly stop this
« Reply #23 on: March 01, 2019, 09:30:04 PM »

I've just checked my password manager, I have 356 passwords stored, it would take someone truly exceptional to remember 356 (that's excluding ones on my works system) unique complex passwords of 12 characters or more.

Are a paperless office, yours must be the only one  ;) People are resourceful, they'll find ways or use something simple, like a password reset option, I wonder how many passwords will be reset once you stop the browser from saving them???

password resets are monitored, so we can easily see how is resetting and how often.
however, if they want to reset every day then batter in i say, a password being changed every day is pretty secure and with the policy not allowing the same passsword to be used or changing it from password1 to password2 they'll soon run out of options :)
Logged

chenks

  • Kitizen
  • ****
  • Posts: 1106
Re: browsers offering to save login details - how to properly stop this
« Reply #24 on: March 01, 2019, 09:31:59 PM »

PS. I changed that password at work today, the one that changes every 30 days, I don't have a clue what it is, I don't need to, I have a long secure password, different to my home one that I use to unlock my password manager.

you either have a very bad memory you let some app choose a password for you.
out of interest, you seem to trust third party companies to manage your user accounts for you? what allows you to put your faith in some company that is in the business of making money.
Logged

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4300
Re: browsers offering to save login details - how to properly stop this
« Reply #25 on: March 01, 2019, 09:37:15 PM »

How do they reset that password, via email? And is that email account accessible without a password from the desktop?

I don't know if you read PC Pro, but there is a very good well respected security journalist who writes in there, and has done for years, his view is that a good password manager is more secure than the other options, and that combined with 2FA is even better.

Why do I put my trust in them, the same reason banks have my money, they are better looking after it than me looking after cash under the mattress so to speak, before I had a password manager most my passwords were the same or based on a few variations, and no my memory is not great.

PS. I changed that password at work today, the one that changes every 30 days, I don't have a clue what it is, I don't need to, I have a long secure password, different to my personal one that I use to unlock my password manager. Does that mean it's insecure? The irony is that the password I have to change every 30 days is just so I can release emails that a online system has decided is spam.
Logged
Formerly restrained by ECI and ali,  now surfing along at 390/36  ;D

chenks

  • Kitizen
  • ****
  • Posts: 1106
Re: browsers offering to save login details - how to properly stop this
« Reply #26 on: March 01, 2019, 09:48:37 PM »

email is not accessible without a password - office365 which also has a 30 day password reset policy.
via windows desktop which is not accesible without a password, again which has a password reset policy.

i assume you remember you pc/laptop login as you can't set that to save and log you in automatically, although in a home environment you can set it to have no password!

the reason i asked about your trust in the password manager, was simply a case of how do you know they are better at it than you? it's a faceless business you most likely know nothing about? it only takes one of these password manager companies being compromised and they have all your user account details (and don't say it'll never happen).
it's the same as all the people that assume that just because they are using a third party VPN that they are safe, they know nothing about the VPN companies and what they are doing with their data.

it's an interesting debate to have though.

2FA isn't really a viable option as it requires the end-user to have a mobile to get the code, which they aren't permitted to have on their person whilst in the office, and even if they did it would be tying a business account to a personal mobile.
Logged

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369
Re: browsers offering to save login details - how to properly stop this
« Reply #27 on: March 01, 2019, 10:39:42 PM »

would you be happy to know your data was behind a system where the operator could enter a password once and never have to type it in again?
that's not "secure" in my eyes. it's essentially the equivalent of putting your bank card into a cash machine, entering you code and it saying "do you want me to remember this?" and you saying yes, so every time you return to that cash machine it doesn't ask you for your pin.

The card PIN comparison is interesting.   I have used the same few card PINs (varied for each account) for at least 20 years.  Unless I have reason to think somebody has discovered my PIN, I would not want to change it.   Most card issuers seem to agree, as they allow the customer to change the issued PIN to something they prefer.   

Back on topic, your quest to prevent browsers storing passwords...   Your organisation clearly has absolute control over environment, no paper notepads, no mobiles, etc.   So why not just impose an IT policy, such that all workstations are automatically reset daily, with browser caches cleared.     An even better option might be (though I am not expert here) to have diskless workstations, booted daily from a centrally administered image, thus instrinsically thwarting any attempt to store persistent local data?
« Last Edit: March 01, 2019, 10:50:58 PM by sevenlayermuddle »
Logged

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4300
Re: browsers offering to save login details - how to properly stop this
« Reply #28 on: March 02, 2019, 01:06:54 PM »

email is not accessible without a password - office365 which also has a 30 day password reset policy.
via windows desktop which is not accesible without a password, again which has a password reset policy.

So there you have at least three passwords, which are changed regularly, I suspect a lot of people will struggle and resort to cheating one way or another. Do the three passwords have to be different, are there checks between the systems to enforce this? I could probably come up with a system to remember them if I had to, but may still rely on a cryptic clue somewhere.

Quote
i assume you remember you pc/laptop login as you can't set that to save and log you in automatically, although in a home environment you can set it to have no password!

All PC's have passwords, except two media centre PC's used for watching TV and nothing else, although they do actually have passwords but are set to auto sign in to the media PC standard user account. Yes I do remember my password for Windows, also my immediate families passwords for their user accounts as I administer the home network, my server's password, my home password manager, my works password manager, the works admin account password, various pins for alarms, cash machines, pin for my phone, pin protected apps on my phone, several online banking sites (not in password manager), there is a very long list when I think about. I have entered various passwords this morning setting up a more secure router at work and wi-fi networks, but I can't remember exactly what they are.

Quote
the reason i asked about your trust in the password manager, was simply a case of how do you know they are better at it than you? it's a faceless business you most likely know nothing about? it only takes one of these password manager companies being compromised and they have all your user account details (and don't say it'll never happen).

They are better than me because previously I use to use a selection of  relatively weak passwords, but over the years it became apparent that if one site was hacked that password and details could be used elsewhere, so I started using a password manager. Also articles I've read from security experts have re-enforced my view that this is more secure and a better user experience than trying to remember them all, there will always be attack vectors but like everything in life it comes down to compromises.

Someone I know has a system where they write a cryptic clue in a password protected document, that cryptic clue references a particular printed book so they can look up their passwords. This approach is all well and good until they need a password and don't have access to both items.

The bit in red bold in the quote above tells me you don't understand how password managers work, so you'll find the second link below enlightening. Mind you they could still be compromised, I suppose it would take the end users software to be compromised and then send the password database to the hackers.

https://happygeek.com/?page_id=33
https://www.alphr.com/features/380377/password-managers-are-they-safe-which-is-the-best  Quite an old article from 2013, but an interesting read
https://www.forbes.com/sites/daveywinder/2019/02/05/google-reveals-a-big-problem-with-passwords-on-safer-internet-day/#331feb2e5e0b   
https://itsecuritything.com/world-password-day-wont-solve-the-numbnuts-user-problem/

I recently spoke to someone that used the same password for everything, I frightened the life out of them  by showing them their email address was on https://haveibeenpwned.com/ and that meant quite possibly their password was on a dictionary list somewhere. Hopefully they are now changing them and using a password manager.

Quote
it's the same as all the people that assume that just because they are using a third party VPN that they are safe, they know nothing about the VPN companies and what they are doing with their data.

Yes appreciate that, but I'm not even sure that they assume, they just don't know any better, most will be oblivious to websites being hacked etc. I have a VPN back to my home, so if on a connection I don't trust I just turn my devices VPN on and I know my connection is secure, well in as much us I trust my hardware and my home ISP, there's those compromises again.

Quote
it's an interesting debate to have though.

It is indeed, it does make you think.

Quote
2FA isn't really a viable option as it requires the end-user to have a mobile to get the code, which they aren't permitted to have on their person whilst in the office, and even if they did it would be tying a business account to a personal mobile.

Appreciate the difficulties security causes for both side (employee's and employers), but employee's will cheat the system to make life easier, ultimately what it needs is reliable biometric authentication. I say reliable because my finger print doesn't always unlock my phone - if I've been doing physical work then the finger print is harder to recognise.

Do the employees have no pens, hand bags, wallets etc?
Logged
Formerly restrained by ECI and ali,  now surfing along at 390/36  ;D

chenks

  • Kitizen
  • ****
  • Posts: 1106
Re: browsers offering to save login details - how to properly stop this
« Reply #29 on: March 02, 2019, 04:57:00 PM »

Do the employees have no pens, hand bags, wallets etc?

not at their desks, no.
all personal items are in lockers away from the "work floor".

no paper/pen is required as they shouldn't be writing anything down (we deal with personal details including names, addresses, phone numbers, email addresses, which can include refuge/womans aid locations), so data security is a top priority. the people are permitted to have a small personal "white board" with a supplied marker pen, which gets wiped down/cleared after the reason for using is has passed (and certainly wiped at the end of each day).
Logged
Pages: 1 [2] 3 4
 

anything