Kitz ADSL Broadband Information
adsl spacer  
Support this site
Home Broadband ISPs Tech Routers Wiki Forum
 
     
   Compare ISP   Rate your ISP
   Glossary   Glossary
 
Please login or register.

Login with username, password and session length
Advanced search  

News:

Pages: 1 2 [3] 4

Author Topic: browsers offering to save login details - how to properly stop this  (Read 19931 times)

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: browsers offering to save login details - how to properly stop this
« Reply #30 on: March 03, 2019, 01:22:06 PM »

chenks the reason password managers exist and its deemed bad to enforce manually typed passwords as well as frequent resetting is that they all policies proven that encourage weak passwords and make it more likely they written down, you dealing with humans not robots, like ronski i have triple digit number of passwords as well.

since you dont trust 3rd parties why not develop your own app for the login interface instead of a browser coded by a 3rd party, then its your app your rules.
« Last Edit: March 03, 2019, 01:26:41 PM by Chrysalis »
Logged

chenks

  • Kitizen
  • ****
  • Posts: 1106
Re: browsers offering to save login details - how to properly stop this
« Reply #31 on: March 03, 2019, 03:34:25 PM »

only if the password policy being enforced allows weak passwords, which is doesn't.
writing down the password in this instance would be pointless as it wouldn't be on the desk with them.

we do have own own "app" for the login interface, it's called the web browser with a standard login page where we require the user to manually enter their username and password. we don't want anything to be auto filling in anything, be it the browser or a a password manager.
Logged

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4300
Re: browsers offering to save login details - how to properly stop this
« Reply #32 on: March 03, 2019, 04:42:47 PM »

I've come to appreciate chenks position on this, I wonder if the employee's are given advice on creating memorable passwords?

As I said above what it really requires is biometric authentication, perhaps coupled with a swiped security card. The operatives picture could also be taken and stored against the logins. This technology exists now, the government are quite happy to use it with my passport.
Logged
Formerly restrained by ECI and ali,  now surfing along at 390/36  ;D

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369
Re: browsers offering to save login details - how to properly stop this
« Reply #33 on: March 03, 2019, 05:05:03 PM »

Ncsc offer specific guidance on some of the things being discussed.

On protection against password guessing...

https://www.ncsc.gov.uk/guidance/password-guidance-summary-how-protect-against-password-guessing-attacks

On password expiry policies (linked from above)...

https://www.ncsc.gov.uk/blog-post/your-password-expiry-policy-may-have-reached-its-expiry-date




Logged

chenks

  • Kitizen
  • ****
  • Posts: 1106
Re: browsers offering to save login details - how to properly stop this
« Reply #34 on: March 03, 2019, 05:08:16 PM »

I've come to appreciate chenks position on this


eeek!, isn't that the first harbinger of the apocalypse?
« Last Edit: March 03, 2019, 06:19:17 PM by chenks »
Logged

d2d4j

  • Kitizen
  • ****
  • Posts: 1103
Re: browsers offering to save login details - how to properly stop this
« Reply #35 on: March 03, 2019, 05:54:47 PM »

Hi

I think 7lm sums it up

Password expiry is a blunt instrument that casts a long shadow over organisational security. We should call time on this outdated and ineffective practice.

As taken from 7lm last link

I only read quickly but there are parts missing re passwords, which are not widely know such as password length should be an uneven number - reason been crackers use 4 character hacks (simplistic term)

I would be interested to know though, if this is the client who is using server 2008, outdated php and iis and sql 2005

Please feel free to ignore

Many thanks

John
Logged

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4300
Re: browsers offering to save login details - how to properly stop this
« Reply #36 on: March 03, 2019, 06:35:43 PM »


eeek!, isn't that the first harbinger of the apocalypse?

Not quite, whilst I appreciate the need for security and not storing passwords in browsers, or using password managers I do think changing passwords as regularly as every 30 days is rather OTT and must cause some people quite a bit of stress.
Logged
Formerly restrained by ECI and ali,  now surfing along at 390/36  ;D

chenks

  • Kitizen
  • ****
  • Posts: 1106
Re: browsers offering to save login details - how to properly stop this
« Reply #37 on: March 03, 2019, 06:38:40 PM »

Not quite, whilst I appreciate the need for security and not storing passwords in browsers, or using password managers I do think changing passwords as regularly as every 30 days is rather OTT and must cause some people quite a bit of stress.

to be fair, with the mount of staff turn over (due to the nature of the work and the type of calls they tend to receive), some never need to change it  ;D
Logged

sevenlayermuddle

  • Helpful
  • Addicted Kitizen
  • *
  • Posts: 5369
Re: browsers offering to save login details - how to properly stop this
« Reply #38 on: March 03, 2019, 08:16:11 PM »

I still don’t ‘get’ the logic that bars employees from using password managers or writing down passwords on slips of paper.   In that scenario, I’d probably carry a pad of paper, leaving it in my car in the car park.   Each time I need to change password, I’d make a note after I’d left the office, whilst fresh in mind.   And each morning, I’d check it, so I could remember it long enough to get to my desk.  And then, rules being rules, rather than carry that slip of paper safely in my wallet, I’d leave it in my car, with password visible to anybody who gained sight.

Interestingly, one of the GCHQ/NCSC links I provided earlier, actually suggests that users should be encouraged to use password managers, or to simply write them down.

https://www.ncsc.gov.uk/guidance/password-guidance-summary-how-protect-against-password-guessing-attacks

Quote
Store your passwords rather than trying to remember them all. This enables you to use longer, stronger, unique passwords and change them whenever you want, without making life too hard for yourself. There are two ways you can do this:

It also makes the point, as I interpret it, that while passwords might relied upon by users to protect their own data, they should not be relied upon by systems providers as a means of protecting organisation data...

Quote
If attackers are able to access your systems remotely by guessing users’ passwords, then those systems are not effectively protected; don’t blame the users in this situation.

Logged

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: browsers offering to save login details - how to properly stop this
« Reply #39 on: March 03, 2019, 08:21:57 PM »

i got no issue with the need for tight security, on that i can relate, i suppose the issue is the rigidity and old practices been used, im curious what solution you end up carrying out tho
Logged

chenks

  • Kitizen
  • ****
  • Posts: 1106
Re: browsers offering to save login details - how to properly stop this
« Reply #40 on: March 04, 2019, 07:59:52 AM »

I still don’t ‘get’ the logic that bars employees from using password managers or writing down passwords on slips of paper.   In that scenario, I’d probably carry a pad of paper, leaving it in my car in the car park.   Each time I need to change password, I’d make a note after I’d left the office, whilst fresh in mind.   And each morning, I’d check it, so I could remember it long enough to get to my desk.  And then, rules being rules, rather than carry that slip of paper safely in my wallet, I’d leave it in my car, with password visible to anybody who gained sight.

Interestingly, one of the GCHQ/NCSC links I provided earlier, actually suggests that users should be encouraged to use password managers, or to simply write them down.

https://www.ncsc.gov.uk/guidance/password-guidance-summary-how-protect-against-password-guessing-attacks

It also makes the point, as I interpret it, that while passwords might relied upon by users to protect their own data, they should not be relied upon by systems providers as a means of protecting organisation data...

i never said anyone was barred from using a piece of paper, only that paper/notepads are not permitted on the workfloor.
password managers (although i am against them in general) would the require the user to have yet another username/password (to gain access to the password manager), and as hot-desking is quite common what's to stop them from forgetting the password for that? and if they need to remember it, what stops them from making it an easily guessed password? seeing as they couldn't, i assume, store that password in the password manager.

leaving the piece of paper in your car is fine as the system in question has no external/public access, it's purely internal, so unless it was another member of staff that say the piece of paper with all your passwords on it, it wouldn't be an issue.

if someone other than the owner was to use the password on that piece of paper to gain access to the system then both would be dismissed. 1 for breach of computer misuse act and the other for allowing username/password data to be breached.

anyway, we've drifted quite far off the original topic, which was a question about how to do something. it wasn't a question about whethet something should be done.
Logged

niemand

  • Kitizen
  • ****
  • Posts: 1836
Re: browsers offering to save login details - how to properly stop this
« Reply #41 on: March 05, 2019, 11:17:08 PM »

the reason i asked about your trust in the password manager, was simply a case of how do you know they are better at it than you? it's a faceless business you most likely know nothing about? it only takes one of these password manager companies being compromised and they have all your user account details (and don't say it'll never happen).

A password manager company has been compromised. The attackers got nothing of value despite having access to the database.
Logged

chenks

  • Kitizen
  • ****
  • Posts: 1106
Re: browsers offering to save login details - how to properly stop this
« Reply #42 on: March 06, 2019, 10:53:24 AM »

which company was that?
out of interest, those that do use password managers, which do you use? Lastpass appears to get top marks from the usual websites, although you usually have to take those "articles" with a pinch of salt.
Logged

Chrysalis

  • Content Team
  • Addicted Kitizen
  • *
  • Posts: 7382
  • VM Gig1 - AAISP L2TP
Re: browsers offering to save login details - how to properly stop this
« Reply #43 on: March 06, 2019, 08:16:09 PM »

I use keeppass, I plan to switch to keeppass2 for the reason when it generates passwords it avoids lookalike characters, Its an offline password manager.
Logged

Ronski

  • Helpful
  • Kitizen
  • *
  • Posts: 4300
Re: browsers offering to save login details - how to properly stop this
« Reply #44 on: March 06, 2019, 10:09:30 PM »

which company was that?
out of interest, those that do use password managers, which do you use? Lastpass appears to get top marks from the usual websites, although you usually have to take those "articles" with a pinch of salt.

I use both Roboform and Lastpass, which was hacked back  in 2015 as mentioned in one of the articles I previously linked to.

https://www.lastpass.com/security/what-if-lastpass-gets-hacked
Logged
Formerly restrained by ECI and ali,  now surfing along at 390/36  ;D
Pages: 1 2 [3] 4
 

anything