A client of mine has an extensive Cyber Security department.
Every 90 days they insist that I change my memorable password to another memorable password and then I spend the rest of the morning typing that new memorable password into various machines. They also use 2-stage authentication but as I'm asked to re-authenticate myself every few days I'm quite used to a random popup appearing and having to re-enter my credentials. I confess I don't check too carefully where this popup comes from; often it's difficult to tell anyway.
I like to think I run a fairly tight ship from a Cyber Security perspective too.
- I use a hardened and regularly patched OpenWRT firewall (runs on an old wifi access point)
- I encrypt the drives of machines that leave my office
- I use ECDSA-256 to login to remote machines
The only time I enter a password is when I'm starting my laptop. The encrypted drive has private ECDSA keys which it uses to authenticate with the rest of the network and most of the Internet. In Cyber Security terms my password is the "root of trust" and thus only used sparingly.
If a popup appeared on my own desktop asking for my ECDSA private key I'm not sure where I'd start (copy and paste?) but I'd certainly know something funny is going on: that key never leaves the machine its assigned to - and yes different machines get different keys.
So my point? Please consider reducing your use of passwords: the more you use them the less secure they get.
https://www.ncsc.gov.uk/collection/passwords/updating-your-approach
No comments:
Post a Comment