Posts Tagged ‘useable-sec’

Usable Sec: No rights to your data

If a company has collected an American user’s personal data without their consent, how can the user respond?
They can’t —  They have no rights to their data.

Usable Sec: Smudge Attacks (Mobile device hacking attack vector)

Attack is most effective after phone is held in contact with face during a phone call

Source: https://www.usenix.org/legacy/event/woot10/tech/full_papers/Aviv.pdf

Touch screens are an increasingly common feature on personal computing devices, especially smartphones, where size and user interface advantages accrue from consolidating multiple hardware components (keyboard, number pad, etc.) into a single software definable user interface. Oily residues, or smudges, on the touch screen surface, are one side effect of touches from which frequently used patterns such as a graphical password might be inferred.

 

Usable Sec: Making secure passwords that are useable

To make usable passwords we need to look at them differently. First of all what you need is to use words you can remember, something simple and something you can type fast.

Like these:

Image1

your password increases you security substantially (from 3 minutes to 2 months). But, by simply using 3 words instead of two, you suddenly got an extremely secure password.

Using more than one simple word a

It takes:

  • 1,163,859 years using a brute-force method
  • 2,537 years using a common word attack
  • 39,637,240 years using a dictionary attack

It is 10 times more secure to use “this is fun” as your password, than “J4fS<2”.

If you want to be insanely secure; simply choose uncommon words as your password – like:

Image2

A usable and secure password is then not a complex one. It is one that you can remember – a simple password using 3+ words.

Usable Sec: Comparison of PW Cracking Time

Image

Source: https://www.baekdal.com/insights/password-security-usability

Usable Sec: Principle of Least Privilege

From Wikipedia:

In information security, computer science, and other fields, the principle of least privilege (also known as the principle of minimal privilege or the principle of least authority) requires that in a particular abstraction layer of a computing environment, every module (such as a process, a user or a program depending on the subject) must be able to access only the information and resources that are necessary for its legitimate purpose.
searchsecurity.techtarget.com:
The principle of least privilege (POLP) is the practice of limiting access to the minimal level that will allow normal functioning. Applied to employees, the principle of least privilege translates to giving people the lowest level of user rights that they can have and still do their jobs.