Company says no to passwords managers and U2F? Geez.
Brett Johnson
Keynote Speaker. Consultant. Podcast Host of The Brett Johnson Show. Cybercrime, Identity Theft, Cybersecurity Expert. Original Internet Godfather. Former US Most Wanted turned Good Guy. Chief Criminal Officer at-large.
Got this in my inbox from a friend of mine. Im kind of interested in everyone's take on it. Story follows:
“A friend’s” rant of the week...and question...am I missing something?
Internet Security Training: Don’t install unauthorized Apps. Don’t share passwords. <Insert additional IS onboarding/training messages>.
“A friend”: what authorized password managers can we use?
IS Training: None. Don’t use them. Don’t store your passwords anywhere.
“A friend”: To keep passwords. How do I manage 30 logins/passwords?
IS Training: Don’t know why you’d have 30 logins.
"A Friend": <insert crickets/no response>
[call ended]
Question for Brett:
My personal password manager probably has 500+. Is IS clueless or begging for easy, duplicated passwords? Are we clueless by putting marking databases of our passwords albeit encrypted databases.
My personal thought is a Password Manager is far safer than anything currently being used--unless the company uses something like U2F*. I agree with the company saying no sharing of passwords and no unauthorized apps, but it seems foolhardy to not have U2F* or a a password manager they use.
To put it more bluntly, it sounds like it might be the first day on the job for the Internet Security Training Person. And it sounds like the company is going to be eaten alive if that level of naivete continues.
Thoughts?
* FIDO U2F tokens enable users to quickly and securely access any website or online service that supports the FIDO U2F protocol using a single device. To authenticate, a user simply inserts a universal serial bus (USB) token into any port. Then, the user presses the U2F token button and enters his or her password or PIN.
Fraud/Reviews/Training/Investigation/Advisory/Media
4 年One strong password consisting of 3 random words and a random symbol or numbers used on every account is all anyone needs and will take millions of years for a hacker to crack. - Until it gets leaked or someone gives a third party IT manager £10 for it. If the website has a green padlock on it then it is 100% safe. - until cyber criminals work out how to draw padlocks and colour them green. Free anti virus software is given out as a gesture of goodwill by kind people because of their love for humanity. - no comment The Maginot Line means that the Germans will never ever be able to invade France like they did in World War 1. - Until the Germans come through Belgium. The UK is as likely to elect a comedy show panellist as Prime Minister as the US is to elect a reality show host. - That one must be true? The confidence of fools versus the considered consideration of those who know but are willing to find out more is a blight.? ?Jeez - Get a password manager and wake up people.? ??
Passionate researcher & lifelong student | Wordsmith Ninja | Servant leader with a passion for helping protect people, advance process and technologies | Dedicated Mentor & Gadget Tinkerer | CMMC RP
4 年This shocks me that 2FA solutions like a physical security token or a password manager would be prohibited. The end result , employees eventually get password sprayed , when they reuse 123456 . As we all know , people are horrible with creating relatively strong passwords and even remembering them when we do , across the hundred-ish sites we register for access. Hope this organization comes to their senses sooner than later , on there policy In this regards Brett Johnson
Director of Security Strategy & Culture proud to work at #kpmgliverpool
4 年I’ve heard some seriously technical people (I’m not technical at all) argue the case repeatedly against password managers. But these individuals are often so controls-focussed they create a culture where - like you say - no-one follows the security policies and create insecure workarounds all over the place. Until such a time that passwords become obsolete, a manager is the best thing we have
Systems Architect
4 年I think asking if you may use a password manager is a good case for "better to ask forgiveness than permission". This is of course assuming you choose intelligently and use an open source one and not some cloud service... And yes I too am guilty of sometimes using cloud based password managers. I still think it is unwise. "Do as I say not as I do" ??
HVACker | OT Cybersecurity
4 年You and I must have the same friend. ??