{"id":634,"date":"2013-05-16T20:32:11","date_gmt":"2013-05-16T19:32:11","guid":{"rendered":"http:\/\/www.halkynconsulting.co.uk\/a\/?p=634"},"modified":"2013-05-16T21:40:49","modified_gmt":"2013-05-16T20:40:49","slug":"passwords-are-not-bad-just-dont-trust-vendors","status":"publish","type":"post","link":"http:\/\/www.halkynconsulting.co.uk\/a\/2013\/05\/passwords-are-not-bad-just-dont-trust-vendors\/","title":{"rendered":"Passwords are not bad, just dont trust vendors"},"content":{"rendered":"
\"Passwords
Passwords are far from ready to die yet.<\/figcaption><\/figure>\n

Passwords are in the news again, with yet another headline crying out for the death of the password and claiming that everyone should move to two factor authentication (2FA) for all their online activities. As with all these claims, it is worth looking at them in greater detail before we give up on of the single most cost effective methods for getting a certain level of assurance around someone’s identity.<\/p>\n

The Register reported<\/a> PayPal’s Chief Information Security Officer (CISO)\u00a0Michael Barrett speaking as a representative of the Fast Identity Online (FIDO) Alliance, saying:<\/p>\n

Our [FIDO’s] intention is to really obliterate, within a certain number of years, both passwords and PINs and see the whole internet \u2014 including internally in enterprises \u2014 obliterate user IDs and passwords and PINs from the face of the planet.<\/p><\/blockquote>\n

This is interesting and may appear to be a worthy goal, but we strongly disagree.<\/p>\n

Quick primer on passwords and how you should use them<\/h1>\n

What are passwords?<\/h2>\n

First off, as a bit of a quick background, Passwords are one type of “Single Factor Authentication” and, often combined with a User ID (name, number, email address, whatever), are used to authenticate a user to a service. Other types of single factor would be fingerprints, retina scans, smart cards and the like. When you combine these factors you get “Multi factor\u00a0Authentication” and this is often what most people talk about for replacing passwords.<\/p>\n

Single factor authentication gives a basic level of assurance that the person is who they say they are and, in situations where this is insufficient you should add additional layers but bear in mind that this increases cost, complexity and poor installations are often worse than no authentication.<\/p>\n

Generally, the more importance you place on knowing “who” the person you are interacting with, the more factors you should use, but you must use them properly.<\/p>\n

Keep this in mind: If you implement your authentication badly, it\u00a0doesn’t\u00a0matter how many factors you use<\/strong>.<\/p>\n

Are passwords bad?<\/h2>\n

The simple answer is “No.” Passwords are not inherently bad and the use of passwords (or more properly an ID & Password) for authentication is perfectly reasonable for 99.999% of the situations where they are deployed. In our consulting work, we encounter more situations where people have used more factors than they need, then situations where they\u00a0haven’t\u00a0used enough.<\/p>\n

Are some passwords bad?<\/h3>\n

Possibly. Various security & IT related websites will regularly announce how “password” or “123456” are the most common passwords (such in this article on the Register<\/a>), often implying this is why passwords are inherently broken and how users cant be trusted to select stronger passwords.<\/p>\n

It is certainly true that using “common” or easily guessed passwords is a bad idea, and it can significantly increase the ease with which a malicious party (hacker, spy, jealous co-worker, whatever) can compromise your password, but this is normally going to be a weakness about how the authentication is implemented, rather than the actual password itself.<\/p>\n

A “bad” password is really one which can be broken by an attacker and while this is a simple statement, the practicality is a bit more involved. If you have a login screen which allows three attempts before lock out, it is unlikely that the malicious user is going to get to “Monkey” (number 6 on the list) before the account has locked – and if “monkey” is different from “Monkey” in the system then you can be reasonably sure it wont fail when attacked.<\/p>\n

Another issue with bad passwords is that we often look at them the wrong way round. When you see a password written down as “zaq12wsx”, it can be easy to realise this is obvious from the left hand side of a UK keyboard but unless the attacker has this knowledge they need to cycle through billions of possible other combinations.<\/p>\n

What makes a good password?<\/h2>\n

With passwords two things are important – length and complexity. More of either is good and more of both is better. A long password will be difficult enough to compromise that most attackers will give up – as an example, a 15 character password made from single case letters will take about 53,000 years to crack (source<\/a>). If you make it complex (mix of upper and lower case, numbers and other keyboard characters) you can make it even harder.<\/p>\n

Unfortunately, sometimes systems are badly designed and enforce shorter password sequences – this is where complexity becomes much more important and the use of random generators becomes worthwhile. Despite what you may think, humans are terrible at thinking up random passwords and even worse when it comes to recognising them.<\/p>\n

Interestingly, once you move out of the most glaringly obvious passwords (e.g. “1234”) it\u00a0doesn’t\u00a0really matter if you use a random generator or not, as the attacker is still going to have to brute force the keyspace to work out what your password is. This means that to an attacker “easypwd1” is just as hard (or easy) to compromise as “t8yuas1e” -even though the first one looks like it should be trivial to crack.<\/p>\n

Keep this in mind when you visit sites that offer to rate your password strength or when security professionals try to lecture you on how passwords are broken.<\/p>\n

The important thing for a password is keyspace which is, as we said, driven by length and complexity, randomness is a distant second (third) in this unless your attacker has access to what ever process you use to invent your password.<\/p>\n

Can you give us an example of good passwords?<\/h2>\n

Possibly, but remember that once they are printed on the internet, they are likely to end up in a dictionary list somewhere so, rather than search for a password you want to use, take the advice here and use it to construct your own.<\/p>\n

\"Password<\/a>
Password Strength – xkcd.com<\/figcaption><\/figure>\n

Good passwords are long and complex, but length is the most important so the oft-posted advice from XKCD.com<\/a> works here.<\/p>\n

Dont fixate on trying to come up with impossible to remember strings of what you think are random letters and numbers – cracking tools will easily bypass most things you can invent.<\/p>\n

Instead, use sentences with spaces and relevant capital letters. If you must (company password policy rules\u00a0etc.\u00a0 use symbols then you can add them or replace letters with them but remember to keep it long. As passwords go “This is my massively long password with little complexity” is harder to crack than “ExdYx4G53PmXSH” and you are only likely to remember one of them. Obviously if it is a service you have to authenticate to frequently, you might not want such a long password or you may need to improve your typing speed.<\/p>\n

\u00a0Should you write passwords down?<\/h3>\n

This may come as a shock but there is no automatic reason why you\u00a0shouldn’t\u00a0write your password down, but in a work environment you may have rules about what you can and can’t do.<\/p>\n

It all boils down to what your threat assessment says – unfortunately when it comes to passwords, too many people fall into the trap of blindly following default rules no matter what the situation is.<\/p>\n

For people who are responsible for developing password policy, ask yourself if your threat actors really do have the ability to read passwords written down on post-it notes next to your employees monitors. If your main threat is internet based script kiddies, then they are not going to find someone to come and work as a janitor in your offices so they can desk surf for passwords to your corporate facebook account. Seriously.<\/p>\n

Every security decision you make must be based on a realistic threat and risk assessment otherwise it is pointless.<\/p>\n

So, what is the problem with Passwords?<\/h1>\n

Passwords are far from perfect. If nothing else they are but a single factor of authentication \u00a0 and that implies there is only a certain amount of trust you can ever give them. Passwords also have a long history so people tend to take them for granted and feel that because so much else has changed, it must mean passwords are “old fashioned” now.<\/p>\n

This is combined with lots of high profile cracks of various databases and regular news items about how a whole directory of passwords has been dumped on pastebin<\/a> or similar sites.<\/p>\n

Is it all bad?<\/h2>\n

No, far from it. Few, if any, corporate security breaches are the result of hackers directly compromising a user password (more on that in a bit). Unless you are a famous celebrity on twitter, the chances are no one is going to bother even trying to guess your password, let alone actually manage it.<\/p>\n

So how do the hacks happen?<\/h2>\n

The overwhelming majority of hacks are the result of other techniques (such as SQL injection<\/a>) which then allow the attackers to get a dump of the password file for offline attack. This is frequently what makes the news and is nothing at all to do with passwords being unfit for purpose.<\/p>\n

There are still some instances where attackers can subvert a password implementation but, again, nearly every instance is actually the result of something being fundamentally wrong in how the passwords are used.<\/p>\n

How do you implement passwords badly?<\/h2>\n

For the user, passwords should be easy. For the system owner \/ manager, passwords should also be easily implemented (they come built into pretty much every operating system in the world) but this is frequently where things go wrong.<\/p>\n

If you have a system which requires user authentication, you need to make sure you implement it properly.<\/p>\n

This means things like not allowing unlimited attempts, not sending passwords in plain text over the internet, not storing passwords in clear text and not allowing trivial bypasses of your authentication steps. All of these are easily avoidable, yet account for almost all the reasons why passwords (and user identities) fall into the hands of hackers.<\/p>\n

None of this shows passwords themselves are a bad choice of single factor authentication, poor implementation will undermine any technology choice. If anything, poor implementation of other authentication methods (or multi-factor authentication) is going to be worse because it undermines a greater assumed trust.<\/p>\n

So, why are passwords in the news all the time?<\/h1>\n

Normally, this happens when a product vendor decides to announce their new, all singing, all dancing smartcard, finger print reader or retinal scan device.<\/p>\n

The recent Register article is a good example, FIDO is looking to produce an authentication device that they would like you to spend money purchasing and implementing so it is in their best interests to remind people about the “weaknesses” of passwords.<\/p>\n

Unfortunately no device overcomes the fundamental problems with poor implementations, they just become expensive ways to create a device management nightmare.<\/p>\n

Smartcard and fingerprint readers appear to be good, but at some stage your data has to be encrypted and sent to the server for authentication – if this is done badly, it opens a clear attack channel and gives the hacker a massively enhanced level of authentication on your network.<\/p>\n

Devices (smartcards, scanners\u00a0etc.\u00a0 have to be managed so you can trust what is coming in from the other end. If a hacker has your device they can spend months working out how it encodes authentication data and then use this to attack you. Token devices that get lost have to be withdrawn and replaced. You even have to consider how the user authenticates to their device in the first place.<\/p>\n

All of this creates a huge headache and is off putting for most (non-governmental) organisations, so it is understandable that there is a commercial need to play down the utility of passwords as a single authentication factor and if they can make customers scared of anyone who\u00a0doesn’t\u00a0use multi-factor authentication, all the better.<\/p>\n

But, do you really want a product vendor to do your risk assessment for you? Should you listen to the vendor when they tell you what is, or\u00a0isn’t, good for your network? I would suggest not, but you might have more money than you know what to do with.<\/p>\n

The bottom line is security must always be driven by a threat based risk assessment and you should never, ever, trust a product vendor to do this on your behalf.<\/strong><\/p>\n","protected":false},"excerpt":{"rendered":"

Passwords are in the news again, with yet another headline crying out for the death of the password and claiming that everyone should move to two factor authentication (2FA) for all their online activities. As with all these claims, it is worth looking at them in greater detail before we give up on of the […]<\/p>\n","protected":false},"author":2,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"footnotes":"","jetpack_publicize_message":"","jetpack_is_tweetstorm":false,"jetpack_publicize_feature_enabled":true},"categories":[5,3],"tags":[23,24,45,11,6,53,20,140,19],"class_list":["post-634","post","type-post","status-publish","format-standard","hentry","category-security","category-securitynews","tag-business-protection","tag-data-protection","tag-encryption","tag-hacking","tag-infosec","tag-passwords","tag-risk-management","tag-security","tag-srm","entry"],"jetpack_publicize_connections":[],"yoast_head":"\nPasswords are not bad, just dont trust vendors for your security.<\/title>\n<meta name=\"description\" content=\"Paypal's CISO claims passwords should be made obsolete, but used properly they are an excellent cost effective authentication.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"http:\/\/www.halkynconsulting.co.uk\/a\/2013\/05\/passwords-are-not-bad-just-dont-trust-vendors\/\" \/>\n<meta property=\"og:locale\" content=\"en_GB\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Passwords are not bad, just dont trust vendors for your security.\" \/>\n<meta property=\"og:description\" content=\"Passwords are in the news again, with yet another headline crying out for the death of the password and claiming that everyone should move to two factor authentication (2FA) for all their online activities. As with all these claims, it is worth looking at them in greater detail before we give up on of the single most cost effective methods for getting a certain level of assurance around someone's identity.\" \/>\n<meta property=\"og:url\" content=\"http:\/\/www.halkynconsulting.co.uk\/a\/2013\/05\/passwords-are-not-bad-just-dont-trust-vendors\/\" \/>\n<meta property=\"og:site_name\" content=\"Halkyn Security Blog\" \/>\n<meta property=\"article:published_time\" content=\"2013-05-16T19:32:11+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2013-05-16T20:40:49+00:00\" \/>\n<meta property=\"og:image\" content=\"http:\/\/www.halkynconsulting.co.uk\/a\/wp-content\/uploads\/2013\/05\/04_04_4_a7-300x200.jpg\" \/>\n<meta name=\"author\" content=\"Taz Wake - Halkyn Security\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@https:\/\/twitter.com\/tazwake\" \/>\n<meta name=\"twitter:site\" content=\"@HalkynSecurity\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Taz Wake - Halkyn Security\" \/>\n\t<meta name=\"twitter:label2\" content=\"Estimated reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"10 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"http:\/\/www.halkynconsulting.co.uk\/a\/2013\/05\/passwords-are-not-bad-just-dont-trust-vendors\/#article\",\"isPartOf\":{\"@id\":\"http:\/\/www.halkynconsulting.co.uk\/a\/2013\/05\/passwords-are-not-bad-just-dont-trust-vendors\/\"},\"author\":{\"name\":\"Taz Wake - Halkyn Security\",\"@id\":\"http:\/\/www.halkynconsulting.co.uk\/a\/#\/schema\/person\/6eb0b544119827df120fb596772d25bc\"},\"headline\":\"Passwords are not bad, just dont trust vendors\",\"datePublished\":\"2013-05-16T19:32:11+00:00\",\"dateModified\":\"2013-05-16T20:40:49+00:00\",\"mainEntityOfPage\":{\"@id\":\"http:\/\/www.halkynconsulting.co.uk\/a\/2013\/05\/passwords-are-not-bad-just-dont-trust-vendors\/\"},\"wordCount\":2091,\"commentCount\":2,\"publisher\":{\"@id\":\"http:\/\/www.halkynconsulting.co.uk\/a\/#organization\"},\"keywords\":[\"Business Protection\",\"Data Protection\",\"Encryption\",\"Hacking\",\"Information Security\",\"Passwords\",\"Risk Management\",\"Security\",\"Security Risk Management\"],\"articleSection\":[\"Security\",\"Security News\"],\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"http:\/\/www.halkynconsulting.co.uk\/a\/2013\/05\/passwords-are-not-bad-just-dont-trust-vendors\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"http:\/\/www.halkynconsulting.co.uk\/a\/2013\/05\/passwords-are-not-bad-just-dont-trust-vendors\/\",\"url\":\"http:\/\/www.halkynconsulting.co.uk\/a\/2013\/05\/passwords-are-not-bad-just-dont-trust-vendors\/\",\"name\":\"Passwords are not bad, just dont trust vendors for your security.\",\"isPartOf\":{\"@id\":\"http:\/\/www.halkynconsulting.co.uk\/a\/#website\"},\"datePublished\":\"2013-05-16T19:32:11+00:00\",\"dateModified\":\"2013-05-16T20:40:49+00:00\",\"description\":\"Paypal's CISO claims passwords should be made obsolete, but used properly they are an excellent cost effective authentication.\",\"breadcrumb\":{\"@id\":\"http:\/\/www.halkynconsulting.co.uk\/a\/2013\/05\/passwords-are-not-bad-just-dont-trust-vendors\/#breadcrumb\"},\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"http:\/\/www.halkynconsulting.co.uk\/a\/2013\/05\/passwords-are-not-bad-just-dont-trust-vendors\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"http:\/\/www.halkynconsulting.co.uk\/a\/2013\/05\/passwords-are-not-bad-just-dont-trust-vendors\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Halkyn Security\",\"item\":\"http:\/\/www.halkynconsulting.co.uk\/a\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Security\",\"item\":\"http:\/\/www.halkynconsulting.co.uk\/a\/category\/security\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"Passwords are not bad, just dont trust vendors\"}]},{\"@type\":\"WebSite\",\"@id\":\"http:\/\/www.halkynconsulting.co.uk\/a\/#website\",\"url\":\"http:\/\/www.halkynconsulting.co.uk\/a\/\",\"name\":\"Halkyn Security Blog\",\"description\":\"Specialist Security & Risk Management Consultants\",\"publisher\":{\"@id\":\"http:\/\/www.halkynconsulting.co.uk\/a\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"http:\/\/www.halkynconsulting.co.uk\/a\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-GB\"},{\"@type\":\"Organization\",\"@id\":\"http:\/\/www.halkynconsulting.co.uk\/a\/#organization\",\"name\":\"Halkyn Consulting\",\"url\":\"http:\/\/www.halkynconsulting.co.uk\/a\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"http:\/\/www.halkynconsulting.co.uk\/a\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/i0.wp.com\/www.halkynconsulting.co.uk\/a\/wp-content\/uploads\/2011\/07\/Untitled-1.png?fit=990%2C170&ssl=1\",\"contentUrl\":\"https:\/\/i0.wp.com\/www.halkynconsulting.co.uk\/a\/wp-content\/uploads\/2011\/07\/Untitled-1.png?fit=990%2C170&ssl=1\",\"width\":\"990\",\"height\":\"170\",\"caption\":\"Halkyn Consulting\"},\"image\":{\"@id\":\"http:\/\/www.halkynconsulting.co.uk\/a\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.linkedin.com\/company\/2329571\",\"https:\/\/twitter.com\/HalkynSecurity\"]},{\"@type\":\"Person\",\"@id\":\"http:\/\/www.halkynconsulting.co.uk\/a\/#\/schema\/person\/6eb0b544119827df120fb596772d25bc\",\"name\":\"Taz Wake - Halkyn Security\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"http:\/\/www.halkynconsulting.co.uk\/a\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/6689803eeae3e16b54fab3a7a1dfd1a5ee70f3ca1a83e77278a1b1adfedc4260?s=96&d=retro&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/6689803eeae3e16b54fab3a7a1dfd1a5ee70f3ca1a83e77278a1b1adfedc4260?s=96&d=retro&r=g\",\"caption\":\"Taz Wake - Halkyn Security\"},\"description\":\"Certified Information Systems Security Professional with over 19 years experience providing in-depth security risk management advice to government and private sector organisations. Experienced in assessing risks, and producing mitigation plans, worldwide in both peaceful areas and war zones. Additionally, direct experience carrying out investigations into security lapses, producing evidential standard reports and conducting detailed interviews to ascertain the details of the incident. Has a detailed understanding of the Security Policy Framework (SPF) and JSP440, as well as in depth expertise in producing cost-effective solutions in accordance with legislative and regulatory guidelines. Experienced in accrediting establishments and networks as well as project managing the development of secure, compliant, workable business processes.\",\"sameAs\":[\"http:\/\/www.halkynconsulting.co.uk\",\"https:\/\/twitter.com\/https:\/\/twitter.com\/tazwake\"],\"url\":\"http:\/\/www.halkynconsulting.co.uk\/a\/author\/tazwake\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Passwords are not bad, just dont trust vendors for your security.","description":"Paypal's CISO claims passwords should be made obsolete, but used properly they are an excellent cost effective authentication.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"http:\/\/www.halkynconsulting.co.uk\/a\/2013\/05\/passwords-are-not-bad-just-dont-trust-vendors\/","og_locale":"en_GB","og_type":"article","og_title":"Passwords are not bad, just dont trust vendors for your security.","og_description":"Passwords are in the news again, with yet another headline crying out for the death of the password and claiming that everyone should move to two factor authentication (2FA) for all their online activities. As with all these claims, it is worth looking at them in greater detail before we give up on of the single most cost effective methods for getting a certain level of assurance around someone's identity.","og_url":"http:\/\/www.halkynconsulting.co.uk\/a\/2013\/05\/passwords-are-not-bad-just-dont-trust-vendors\/","og_site_name":"Halkyn Security Blog","article_published_time":"2013-05-16T19:32:11+00:00","article_modified_time":"2013-05-16T20:40:49+00:00","og_image":[{"url":"http:\/\/www.halkynconsulting.co.uk\/a\/wp-content\/uploads\/2013\/05\/04_04_4_a7-300x200.jpg"}],"author":"Taz Wake - Halkyn Security","twitter_card":"summary_large_image","twitter_creator":"@https:\/\/twitter.com\/tazwake","twitter_site":"@HalkynSecurity","twitter_misc":{"Written by":"Taz Wake - Halkyn Security","Estimated reading time":"10 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"http:\/\/www.halkynconsulting.co.uk\/a\/2013\/05\/passwords-are-not-bad-just-dont-trust-vendors\/#article","isPartOf":{"@id":"http:\/\/www.halkynconsulting.co.uk\/a\/2013\/05\/passwords-are-not-bad-just-dont-trust-vendors\/"},"author":{"name":"Taz Wake - Halkyn Security","@id":"http:\/\/www.halkynconsulting.co.uk\/a\/#\/schema\/person\/6eb0b544119827df120fb596772d25bc"},"headline":"Passwords are not bad, just dont trust vendors","datePublished":"2013-05-16T19:32:11+00:00","dateModified":"2013-05-16T20:40:49+00:00","mainEntityOfPage":{"@id":"http:\/\/www.halkynconsulting.co.uk\/a\/2013\/05\/passwords-are-not-bad-just-dont-trust-vendors\/"},"wordCount":2091,"commentCount":2,"publisher":{"@id":"http:\/\/www.halkynconsulting.co.uk\/a\/#organization"},"keywords":["Business Protection","Data Protection","Encryption","Hacking","Information Security","Passwords","Risk Management","Security","Security Risk Management"],"articleSection":["Security","Security News"],"inLanguage":"en-GB","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["http:\/\/www.halkynconsulting.co.uk\/a\/2013\/05\/passwords-are-not-bad-just-dont-trust-vendors\/#respond"]}]},{"@type":"WebPage","@id":"http:\/\/www.halkynconsulting.co.uk\/a\/2013\/05\/passwords-are-not-bad-just-dont-trust-vendors\/","url":"http:\/\/www.halkynconsulting.co.uk\/a\/2013\/05\/passwords-are-not-bad-just-dont-trust-vendors\/","name":"Passwords are not bad, just dont trust vendors for your security.","isPartOf":{"@id":"http:\/\/www.halkynconsulting.co.uk\/a\/#website"},"datePublished":"2013-05-16T19:32:11+00:00","dateModified":"2013-05-16T20:40:49+00:00","description":"Paypal's CISO claims passwords should be made obsolete, but used properly they are an excellent cost effective authentication.","breadcrumb":{"@id":"http:\/\/www.halkynconsulting.co.uk\/a\/2013\/05\/passwords-are-not-bad-just-dont-trust-vendors\/#breadcrumb"},"inLanguage":"en-GB","potentialAction":[{"@type":"ReadAction","target":["http:\/\/www.halkynconsulting.co.uk\/a\/2013\/05\/passwords-are-not-bad-just-dont-trust-vendors\/"]}]},{"@type":"BreadcrumbList","@id":"http:\/\/www.halkynconsulting.co.uk\/a\/2013\/05\/passwords-are-not-bad-just-dont-trust-vendors\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Halkyn Security","item":"http:\/\/www.halkynconsulting.co.uk\/a\/"},{"@type":"ListItem","position":2,"name":"Security","item":"http:\/\/www.halkynconsulting.co.uk\/a\/category\/security\/"},{"@type":"ListItem","position":3,"name":"Passwords are not bad, just dont trust vendors"}]},{"@type":"WebSite","@id":"http:\/\/www.halkynconsulting.co.uk\/a\/#website","url":"http:\/\/www.halkynconsulting.co.uk\/a\/","name":"Halkyn Security Blog","description":"Specialist Security & Risk Management Consultants","publisher":{"@id":"http:\/\/www.halkynconsulting.co.uk\/a\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"http:\/\/www.halkynconsulting.co.uk\/a\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-GB"},{"@type":"Organization","@id":"http:\/\/www.halkynconsulting.co.uk\/a\/#organization","name":"Halkyn Consulting","url":"http:\/\/www.halkynconsulting.co.uk\/a\/","logo":{"@type":"ImageObject","inLanguage":"en-GB","@id":"http:\/\/www.halkynconsulting.co.uk\/a\/#\/schema\/logo\/image\/","url":"https:\/\/i0.wp.com\/www.halkynconsulting.co.uk\/a\/wp-content\/uploads\/2011\/07\/Untitled-1.png?fit=990%2C170&ssl=1","contentUrl":"https:\/\/i0.wp.com\/www.halkynconsulting.co.uk\/a\/wp-content\/uploads\/2011\/07\/Untitled-1.png?fit=990%2C170&ssl=1","width":"990","height":"170","caption":"Halkyn Consulting"},"image":{"@id":"http:\/\/www.halkynconsulting.co.uk\/a\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.linkedin.com\/company\/2329571","https:\/\/twitter.com\/HalkynSecurity"]},{"@type":"Person","@id":"http:\/\/www.halkynconsulting.co.uk\/a\/#\/schema\/person\/6eb0b544119827df120fb596772d25bc","name":"Taz Wake - Halkyn Security","image":{"@type":"ImageObject","inLanguage":"en-GB","@id":"http:\/\/www.halkynconsulting.co.uk\/a\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/6689803eeae3e16b54fab3a7a1dfd1a5ee70f3ca1a83e77278a1b1adfedc4260?s=96&d=retro&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/6689803eeae3e16b54fab3a7a1dfd1a5ee70f3ca1a83e77278a1b1adfedc4260?s=96&d=retro&r=g","caption":"Taz Wake - Halkyn Security"},"description":"Certified Information Systems Security Professional with over 19 years experience providing in-depth security risk management advice to government and private sector organisations. Experienced in assessing risks, and producing mitigation plans, worldwide in both peaceful areas and war zones. Additionally, direct experience carrying out investigations into security lapses, producing evidential standard reports and conducting detailed interviews to ascertain the details of the incident. Has a detailed understanding of the Security Policy Framework (SPF) and JSP440, as well as in depth expertise in producing cost-effective solutions in accordance with legislative and regulatory guidelines. Experienced in accrediting establishments and networks as well as project managing the development of secure, compliant, workable business processes.","sameAs":["http:\/\/www.halkynconsulting.co.uk","https:\/\/twitter.com\/https:\/\/twitter.com\/tazwake"],"url":"http:\/\/www.halkynconsulting.co.uk\/a\/author\/tazwake\/"}]}},"jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"jetpack_shortlink":"https:\/\/wp.me\/p9yHvD-ae","jetpack_likes_enabled":true,"_links":{"self":[{"href":"http:\/\/www.halkynconsulting.co.uk\/a\/wp-json\/wp\/v2\/posts\/634","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.halkynconsulting.co.uk\/a\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.halkynconsulting.co.uk\/a\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.halkynconsulting.co.uk\/a\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"http:\/\/www.halkynconsulting.co.uk\/a\/wp-json\/wp\/v2\/comments?post=634"}],"version-history":[{"count":30,"href":"http:\/\/www.halkynconsulting.co.uk\/a\/wp-json\/wp\/v2\/posts\/634\/revisions"}],"predecessor-version":[{"id":665,"href":"http:\/\/www.halkynconsulting.co.uk\/a\/wp-json\/wp\/v2\/posts\/634\/revisions\/665"}],"wp:attachment":[{"href":"http:\/\/www.halkynconsulting.co.uk\/a\/wp-json\/wp\/v2\/media?parent=634"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.halkynconsulting.co.uk\/a\/wp-json\/wp\/v2\/categories?post=634"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.halkynconsulting.co.uk\/a\/wp-json\/wp\/v2\/tags?post=634"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}