Skip to Content

7 Comments

You must be Logged on to comment or reply to a post.

  1. Sascha Wenninger
    • Your Windows password now works as an SAP logon. Do your password rules take that into account (i.e. are your Windows passwords strong enough)?

    This is one which has personally always scared me quite a bit. A number of years ago I was involved in a pen test in a large, global company. Basically a few guys turned up with some PCs, and were directed to a meeting room. Less than 24 hours later, they had full domain admin rights in ActiveDirectory. If your SAP systems delegate authentication to AD, or worse delegate authorisations, it’s pretty much game over at that point. If you’re putting all eggs in one basket it had better be a good basket…

    Which reminds me, I’d like to add PasswordSafe to the list of password managers. I have been using it for years because it’s one of the few which are entirely open source. If I entrust all my passwords to a piece of software, I’d want to make sure it’s possible (for others) to see what the tools does under the covers.

    (0) 
  2. Susan Keohan

    Hi Frank,

    Thanks for the blog – I have been more interested in not linking accounts than ever before, mostly because of LI being hacked.  I get a irritated when I try to read an article, and FB wants to post it to my timeline, and I certainly don’t want to subject FB people to the stuff I do on Twitter or SCN.

    As for a password manager, it would certainly be helpful – but how secure are they?

    At least the yellow post-its can be locked in a drawer 😉

    (0) 
  3. Eric Peterson

    Great words on a huge and largely disregarded threat.  As a non-security person, this makes me want to read up on OAuth (I think that’s the technology) to know the details of how I sign-on with Twitter, and which party gets access to what data.

    (0) 
  4. Tom Van Doorslaer

    Not to forget the data leak of FaceBook.

    Looks like security and privacy is becoming nothing more than a wonderful fantasy. (*cough* Prism)

    I used LastPass for a while, but it didn’t quite do the trick for me. Especially on service.sap.com where you have many different domains to log into, Lastpass kinda fails. When you then finally managed to store your OSS Pass on all domains in Lastpass and you change your password, the fun starts all over.

    (mind you, letting google chrome remember my passwords doesn’t cut it either)

    So instead of being paranoid about my passwords, I just stick to a couple of pretty strong passwords (16 tokens, caps, special tokens, numbers, and nonsense) and I became more paranoid of whatever I put online.

    + I only link few applications together with social sign in.

    I keep most of my vital info on an external drive, which is encrypted.

    (0) 
  5. Chip Rodgers

    Excellent post Frank!  Thanks for the reminders and keeping us grounded in the real world of hacking, identity theft, and good PW practices.

    (0) 

Leave a Reply