Collaborate Disseminate
We get questions on this site all the time from people asking if X password or authentication rules on Y site are secure. Usually if someone is asking the answer is “no”. I just ran into this myself from a large tech compan… Continue reading In what ways can we encourage companies to have better password/security practices?
The global digital giant’s services like facebook/gmail/twitter/etc are not following standard password policies (like the standard password policies used by most of the Enterprises/Corporate).
For example there are no pass… Continue reading Is my personal data at risk with global digital giant’s services?
I reside in Michigan, U.S.A and just recently took over the IT of a small medical practice. There is no real security in place and I am still undoing the horrific damage and lockouts put in place by the previous company. I ha… Continue reading Bad medical security
My employer’s login flow asks for a username, then a 2fa, then a password. They do it this way because they fear someone could try to brute force passwords and create a denial of service attack by locking out all our accounts… Continue reading What are reasons to ask for 2FA before password?
(The name is vague on purpose because I’m not entirely sure how bad of an issue this is or if it is well known yet and I don’t want to accidentally leak some kind of major breach type thing)
Scenario: You change your passwor… Continue reading Email login bug, is it a security concern for email users?
A good chunk of ip cameras come with an easy default password which is the same for all models. It usually is something like admin, 1234, root …
The basic customer doesn’t know that millions of ip are being scanned every s… Continue reading Why do most ip camera manufacturers set an easy default password?
Every year an automated password reset occurs on a VPN account that I use to connect to the institution’s servers. The VPN accounts/passwords are managed by the institution’s IT department, so I have to send an email every ye… Continue reading IT will only give password over phone – but is that really more secure than email?
The general opinion on password policies seems to be that complexity rules are counterproductive to security due to the human nature [1].
Does this also apply to password policies prohibiting the re-use of passwords that a u… Continue reading Does preventing password recycling increase or damage overall security?
CESG state that users should not be forced to undergo regular password changes as it often harms, rather than improves security. Does this logic apply to administrators as well, such as domain admins?
https://www.ncsc.gov.uk… Continue reading Should Administrators regularly change their passwords
NIST guidelines discourage password policies that require multiple character sets.
Verifiers SHOULD NOT impose other composition rules (e.g., requiring mixtures of different character types or prohibiting consecutively repeated charact… Continue reading What are some well known websites that do not require multiple character sets in passwords?