DEV Community

loading...

Discussion on: How hackers steal your keys and secrets

Collapse
omerxx profile image
Omer Hamerman Author

I actually agree with 100% of your points and it makes me think whether I should sharpen my message;
I'm discussing mostly software teams and companies (obviously not only but that's the target audience). With that in mind, I address both personal user passwords and authentication keys.
To answer your points directly:

  • Password complexity - completely right, when I talk about complexity it's important to stress the importance of length rather than complexity. I would argue however, that everyone are far better off with a personal password manager like 1Password instead of managing their own passwords. That's another key point when talking about rotation.

  • MFA - again, correct, this is brought in the context of web login profiles for the 3rd party services team use daily. This is most certainly not a replacement for a password but an extra layer of security. And again - the context is a password leaking out. MFA in that context makes it usually useless.

Summing up, yes, of course, everything should be done with reason. In my experience, 99% of the teams need the push towards better security strategy rather than limiting the layers of protection they put on their processes. That being said, it's a great and important discussion which I must agree with. TBH just thinking about it raises some cases I've dealt with before, mainly in large organizations where the authentication processes and policies were so extremely hard that it actually did hurt productivity and progress.

Thank you for taking the time to read and respond!

Collapse
codemouse92 profile image
Jason C. McDonald

Thanks for your response! I agree with you as well.

I'd add one thing to the topic of password managers: while you should definitely use one, it's best to still use phrase-based passwords that can be entered reasonably by a human. There are still times that situation occurs in the real world, as much as we like to pretend our password manager will always work perfectly. This is particularly true of central accounts like GitHub and email.

Besides that, you really should keep a copy of your most important passwords and keys on paper in a fire safe, in case of electronic catastrophe, or your own untimely demise.

In other words, the one time you need to enter your password by hand is the one time you're going to regret an esoteric password. false-overspend-foe-float-stack is going to be a better password for human use than 3FaqtgSr2T9pgVJRwGxauzDmn, as just as secure. (Bonus, you have a realistic chance to spot when the former is wrong or outdated.)

If websites are still demanding their numbers and special characters, you can incorporate a consistent pattern unique to you. Numbers and symbols don't actually reduce the probability of cracking as once thought, so merely adding them to the phrase you would have used is perfectly fine; it's the phrase that's the secret, ultimately.

Thread Thread
omerxx profile image
Omer Hamerman Author

Again - 100% :)
I remember a really good post explaining what you just mentioned scientifically, in terms of computation complexity and comparing short complex passwords to long sensible strings.
I'd try to find it and maybe add it here.

Thanks again!

Thread Thread
omerxx profile image
Omer Hamerman Author

I'd be happy to quote some of your responses and incorporate in the post. I think they're extremely valuable to the readers!
With credit of course. Would that be okay with you?

Thread Thread
codemouse92 profile image
Jason C. McDonald

Go for it! Thanks.