In a recent blog post by Larry Walsh, he discusses and shows why passwords impose such a heavy load on support structures and can be potentially worse than viruses if managed poorly.

Interesting reading for security concious people, especially policy makers and system/network administrators.

As a preview of the official news, we are currently scheduled for two shows in the U.S. this year: the XChange '09 (August 17th-20th) in Washington D.C. and the Financial Technology Insight (September 30th-October 2nd) in Boston, MA.

Please drop me a line if you will attend and wish some special presentation of a particular application for our products. Of course that also means our team will be in the U.S. by the time of the events, so that would also be a good time to schedule a in-company meeting.

I will probably have a "Events" calendar added to the site, if things keep that busy in the future (I hope so!).

This last week a tragic event got into the main headlines around the world showing once more how fragile and insecure the old user and password authentication method can be.

In this case, however, a little help from some "alternative" authentication methods did help a lot, but using strong authentication would have prevented it altogether.

All the tech details about the event can be found in this excellent article.

Bruce Schneier wrote a post in his blog about this interesting scientific paper concerning password in the online world.

The simple conclusion: with all the 'new' attacks against passwords, those complex and difficult to remember sequences of lower case, upper case, numbers and special characters words are producing increasingly lower impacts on the overall security.

It's time for stronger authentication methods.

ABSTRACT: We find that traditional password advice given to users is somewhat dated. Strong passwords do nothing to protect online users from password stealing attacks such as phishing and keylogging, and yet they place considerable burden on users. Passwords that are too weak of course invite brute-force attacks. However, we find that relatively weak passwords, about 20 bits or so, are sufficient to make brute-force attacks on a single account unrealistic so long as a "three strikes" type rule is in place. Above that minimum it appears that increasing password strength does little to address any real threat If a larger credential space is needed it appears better to increase the strength of the user ID's rather than the passwords. For large institutions this is just as effective in deterring bulk guessing attacks and is a great deal better for users. For small institutions there appears little reason to require strong passwords for online accounts.

Saudações Leitores!

É nosso prazer anunciar a criação do nosso blog!

Diferentemente dos Press Releases e News, esse blog conterá opiniões, fatos de interesse e links externos para artigos e posts, disponibilizados pelas pessoas-chave da nossa empresa, de uma maneira direta e informal.

Por favor sintam-se a vontade para comentar e discutir.

Marco Poli