The Law Offices of Mary N. Chaney, P.L.L.C.
The Cyber Security Law Firm of Texas

Mary's Blog

The Breach Whisperer

About Mary....

Mary N. Chaney, Esq., CISSP® is a former Special Agent for the FBI where she investigated cybercrime, a seasoned corporate executive that built and operated information security teams and now a cybersecurity attorney.

As a self-described “Breach Whisperer” our firm can train your company to properly prepare for your eventual breach!

The overall goal of our firm is to use our wealth of knowledge and expertise to help support, translate and advise, Boards of Directors, CIO's, CISO's and General Counsel's on how to legally protect their company from cyber related risk.

Blog Entries


 

Microsoft's CISO Wants To Eliminate Passwords

See Article Here

In the attached article Microsoft’s CISO Bret Arsenault discusses why he is moving Microsoft users away from passwords. He talks about hackers still getting effective use out of “password spraying” which described “an old-school method, where an attacker tries to access a huge number of accounts at once using some of the most commonly used passwords.” He suggests the only way to effectively defend against this type of attack is to get rid of passwords. He may have a point; passwords are grossly ineffective especially when it is use as the only form of authentication. But it got me to wondering, sure eliminating passwords is a great thing to do from an asset or network authentication perspective to protect the company, but if we are truly to live in a password-less society there is still a lot to be done from an application perspective before we can completely move away. 

I have used biometrics to access my personal laptops for years but I still have to authenticate with a user name and password to practically every site I go to, the exception being of course my phone where many mobile applications, from some of the same sites, incorporate fingerprint or facial recognition features. The average end user will still have plenty of passwords to remember. In addition, I think there will always be a need for a backup authentication method, which I think would still be a user name and password. I can’t tell you how many times my hardware has failed, and I needed that user name and password to access my device. 

Bottom line, I am certain that passwords are ineffective and end users at times can be lazy creating easily guessable passwords that put the entire network at risk. However, we still have a long way to go before eliminating our conditioning and dependence on them.