“Your password hygiene remains atrocious, says NordPass” https://www.theregister.com/2023/11/20/your_password_hygiene_is_still/ The problem is not that those silly passwords are still in broad use, but that the silly passwords are still in use for crucial business and organisation accounts. That’s not just because the truly valid alternatives are little known to the public…

A LinkedIn connection wrote to me wondering why they cannot find the services that allow them to register ‘biometrics + PIN’ in an ostensibly security-enhancing 2-layer formation. My answer was that biometrics is probabilistic, which means biometrics does not escape frequent False Rejection so long as False Acceptance Rate is…

“New Flaws in Fingerprint Sensors Let Attackers Bypass Windows Hello Login” https://www.theregister.com/2023/11/21/thirdparty_data_breach_at_canadian/ It reads “Enabling MFA across all accounts that are used for online transactions is also advised, as is the manual monitoring of personal accounts for any potential malicious activity.” There is no mention of how the MFA is…

“Canadian government data breach could date back to 1999” https://www.theregister.com/2023/11/21/thirdparty_data_breach_at_canadian/ It reads “Enabling MFA across all accounts that are used for online transactions is also advised, as is the manual monitoring of personal accounts for any potential malicious activity.” There is no mention of how the MFA is configured yet…

“Sumo Logic says customer data untouched during breach” https://www.theregister.com/2023/11/21/sumo_logic_security_breach/ The reports reads “Compromised AWS account led to fears that user info could have been exposed to cybercriminals” and the victims is said to have mentioned “It wasn’t able to confirm at the time whether customer data was compromised but did…

“A Spy Agency Leaked People’s Data Online — Then the Data Was Stolen” https://www.wired.com/story/ntmc-bangladesh-database-leak/ We could discuss the optimal remedy when the victims want a remedy. …

“Google Workspace weaknesses allow plaintext password theft” https://www.theregister.com/2023/11/15/google_workspace_weaknesses_allow_plaintext/ Judging from this report and others, they allow plaintext password theft on one hand and they are alleging that passwords are too vulnerable to theft in order to promote their passwordless solution on the other hand. And, even more cynical is that…

“NCSC: UK must work harder to secure critical infrastructure” https://www.theregister.com/2023/11/14/ncsc_cyber_readiness/ The report reads “NCSC says cyber-readiness of UK’s critical infrastructure isn’t up to scratch. And the world’s getting more and more dangerous”. I would further add “And we are witnessing the dangerous world getting made yet more dangerous from within”. Who are doing such a folly? — Those security professionals and big tech firms who are ignorant of or indifferent to the opposite security effects of MFA configured in a multi-layer formation and in a multi-entrance formation.

I was attracted to a negative comment about password managers on a LinkedIn post. I believe it is a pertinent judgement — Conventional password managers hinge on an encrypted ‘password vault’ which could be broken as soon as the decryption key for the encrypted vault gets leaked. The outcome would be catastrophic — a single point of failure is broken as if all the eggs put in a single basket are lost at once.