Office of the NYS Comptroller Thomas P. DiNapoli’s Post

I'm writing a password generator, in that many of my passwords haven't been changed in ages. So let's talk a moment about security. You may as well assume that an attacker knows my system, or has guessed it. Maybe there are ten possible systems, or 100, and the attacker tries them all. My system therefore is only secure if disclosing its details would not compromise it. Okay, here it is. I have a list of 1000 words. Got it by downloading the Scrabble word list and cherrypicking ones that I liked. Assume that my word list is public. Passwords are seven words long. Each word starts with a capital letter, and "35%" is appended to the end to satisfy 'strong password' requirements. Now I have lg(1000)*7=70 bits of entropy. That is, 1000^7 possible passwords with no preference within that set. That's why it would be okay for an attacker to know my word list, and the system for password construction. For every word, I have to choose at random from the list. Really at random, and that's harder than it sounds. I do it with dice. Yeah, the old polyhedral d20 to the rescue. Three tosses of a d10 and I have a 1000x choice that you cannot crack. This does not scale. But whatever - I don't need millions of passwords. All the attacks that get me to type a password into a compromised site are still valid. But none of the attacks based on cracking a downloaded database are. Oops, that assumes the site at the other end does things right. Essentially, they need to store the hash value of my password and not the password itself. Any site storing raw passwords needs to be taken out back. How did I arrive at 'seven words long'? Well, that's questionable. With a 1000-word dictionary, that's 70 bits of entropy. If an attacker can analyze a certain number of trials per second, and is willing to wait perhaps 1 year for a result, then how many bits of entropy do I need? Every time I add a word to the pasword length, I multiply the cracking time by 1000. Hey, why am I using words at all? Simple number sequences would produce entropy just fine, and are easy to type. That's a possibility. Replace every word from my list with 3 decimal digits and you have the equivalent security. I think that's harder to work with. Easier to mistype, for instance. The scheme's not original, in that I couldn't patent it. I heard this approach somewhere, somewhen. And it's fairly obvious once you start thinking about how to defend against crackers. But here it is.

The significance of good #cyberhygiene cannot be overstated, particularly in mitigating or stopping a #cyberattack from causing significant #businessrisks. We offer our expertise in developing an Information Security Program for your organisation, aimed at fostering organisational resilience and information security maturity. This program can serve to reduce the occurrence of #breaches and downtime. By partnering with us to implement this program, your organisation can benefit from a tailored approach to addressing the complexities of safeguarding information assets. Our team of experts can provide you with the necessary guidance and support to ensure that your organisation's information security framework aligns with industry best practices. https://lnkd.in/grYQjHyx

Sharing this blog I saw earlier from Katlyn G. for those interested in learning about Discretionary Access Control. "Guide to Discretionary Access Control (DAC) with Examples" | Built In https://lnkd.in/ex7pk9Vw #dac #security #systemsecurity #learning #tech #securitypolicy #techcommunity

2 out of 3 passwords could be cracked before you finish reading this sentence. Even a seemingly complex P@$$w0rd is not enough to keep you safe. Here is what to do instead: 👇👇👇 You might not believe this. But a complex password like “P@$$w0rd” can be cracked instantly — in 0.0000001 seconds. A simple four-word passphrase like “boundary coal communication defeat” on the other hand, would take up to 63.41 million trillion trillion trillion centuries. Before I explain why the second one is more secure, let’s discuss the math of password cracking. “P@$$w0rd” is 8 characters long. Let’s say each character could have 102 possible values (UPPERCASE, lowercase, 0123456789 + special characters). That's 11,716,593,810,022,656 possible combinations to try! Impossible? Well, actually no. Today, a high-end PC can check 1,400,000,000,000 unique password combinations per second. Meaning an attacker would take 2 hours and 19 minutes to break this password. Computers have come a long way! But why wait this long if there's a faster method? One that takes less than a second! We can download a compromised password database to check if P@$$w0rd is on it. With 1.4 trillion guesses per second, it only takes 50 milliseconds to test all 82 billion entries of the RockYou database. And what do you know... Over 34,168 accounts used P@$$w0rd to protect their account. “boundary coal communication defeat” on the other hand is 100% unique. Cracking this four-word passphrase with brute force would require 63.41 million trillion trillion trillion centuries, even with the fastest computers. Want to create a super-secure 4-word password? All you need are 4-5 dice and a wordlist. Match the word to the numbers you rolled. Combine words without spaces, LikeThis. Use-dashes-between-each-word. Or empty spaces work too! :) I recommend using physical dice with one of the EFF’s wordlists at https://lnkd.in/ec8hcGvK You can also use the Diceware Password Generator on this website: https://lnkd.in/eNEDSmty In my next post, I'll explain how to use your new 4-word passphrase with a password manager. Follow me if you want to read it, or if you are generally interested in relatable #cybersecurity content in your newsfeed. Is your password secure? Let me know in the comments. 👇👇👇 Additional references: https://lnkd.in/eYqMBnzE https://lnkd.in/eJxhvikR https://lnkd.in/gQzEgVfJ

Some versions of a popular open-source operating system got exploited and was *accidently discovered* noticing some odd behaviors, among which, is a millisecond delays in logins! The scale, buildup, and complexity of this exploit is just mind blowing and there are lots of lessons learned that auditors need to be aware of: - Don’t overlook minor discrepancies, the devil is in the details. - Incorporate Insider threat in risk analysis. - Maintain strong mindset and professional skepticism, if you believe something is wrong chase after it. - Be quick to act, especially in reporting vulnerabilities, the sooner the better. More about the exploit here: https://lnkd.in/dSUNMAdH Now think about this, if your desktop wallpaper does not immediately change to the one set by admins once connected to a secured private network; Should you be bothered? How are you going to handle this in your next IT audit?

Hello LinkedIn Friends and Associates! I'm venting but I am stuck in Password H311. My company has us change about every two months but we must select a very lengthy password, can not use a password vault and somehow the system determines if your password is close to a word or not. The frustration is not remembering the password. It is guessing what the system considers a word or sentence with all the random letters and symbols in it. F@LL1NGB@CKW@RD5 is too close to a word or phrase. I would choose random but I cant even cut and paste the password within the system to save it in a file somewhere. I know I'll eventually put it on a post it note somewhere to remember it. It must be at least 12 characters, no words or phrases, random assortment of letters and at least three numbers and three symbols. I completely understand zero trust. But having policies to not write the password down, not save it anywhere and use no mnemonics to remember it is starting to make the zero trust ensure users don't follow the rules because of ability not because of lack of wanting to comply. How do IT organizations faced with security develop this in a way that is easy for users to comply?

Garbage in, garbage out. Here we explore why data quality is fundamental to access recertification success. #cybersecurity #dataquality #informationsecurity

Not Ready To Call Us Just Yet? No problem! We still want to send you a copy of our recently published report, '21 Questions To Ask Before Hiring An IT Team.' Are you sure your financial service business isn't vulnerable to costly issues like lost data, viruses, hacker attacks, and other critical problems? Do you know your IT professional's policies, procedures, and service standards? This report provides crucial questions to ask your current IT provider. Simply fill out the form at https://lnkd.in/eGZdFYN9, and we'll send you a copy today! #ITReport #DataSecurity

A sweeping report analyzing #government software #security reveals that almost 60% contain vulnerabilities unpatched for over a year. Here are my top 3 takeaways: 1. More than half of critical vulnerabilities are due to dependence on 3rd party code 2. Unsurprisingly, large legacy apps contain most unpatched flaws 3. The US gov has introduced a new self-attestation agreement to push #accountability onto software providers #CISA #Veracode #breach #prevention #standards #cdnpoli

Garbage in, garbage out. Here we explore why data quality is fundamental to access recertification success. #cybersecurity #dataquality #informationsecurity