 A longer password is more secure. It's just common sense, right? Increasing the length of a password means there are more combinations available. That in turn means a brute force attack, in which someone uses an automated system to try every combination in an effort to crack the code, will take longer. Security experts generally agree that a password of eight characters is too easy to crack with the help of readily available hardware like the GPU in a gaming PC. Using an Nvidia RTX 4090, for example, Hive Systems calculated that it would take less than an hour to blast through every possible 8-character combination of letters (capital and lowercase) and numbers and symbols. That's twice as fast as a mainstream graphics card from two years ago, in yet another example of Moore's Law in action. So, if eight characters is too short, how long is long enough? Is there a magic number? Security experts don't agree on the exact number, I discovered in a review of published recommendations from a wide range of sources. But they have reached a broad consensus: At least 12 characters, but more is better. And maybe a passphrase consisting of four or more random words is best of all. Every expert we surveyed agreed that increasing the length of a password is much more important than adding complexity requirements, such as mandating the use of numbers, letters, and symbols. But even more important is ensuring that the password is truly random. Add all that together and you get a measurement called entropy, which measures the difficulty of guessing a password. An attacker who can make educated guesses is likely to make short work of breaking a low-entropy password based on your dog's name and the year you were born; a truly random password assigned by a password manager is much more of a challenge. But how long? In an article at the Infosec Institute website, Daniel Brecht examines "Password security: Complexity vs. length," and makes a case for 12 characters being a good starting point: That's not just a random recommendation, either. Bitwarden's advice is derived from a National Institute of Standards and Technology (NIST) publication, NIST SP 800-63B - Digital Identity Guidelines, which notes, "Users should be encouraged to make their passwords as lengthy as they want, within reason. Since the size of a hashed password is independent of its length, there is no reason not to permit the use of lengthy passwords (or pass phrases) if the user wishes." Meanwhile, rival 1Password has a similar take in their blog post, which confidently asserts, "This is how long your passwords should be": "1Password's default generated password length is 19 or 20 characters, depending on the version. But that's actually overkill! When a password is properly generated, 11–15 characters will provide more than enough protection for the everyday user." The folks at NordPass tackle the question with math, concluding that "ideally you'll want [a secure password] to be a minimum of 12 characters. … If you really want to future-proof yourself, 16 characters is truly the best and most realistic length you'll likely be able to rely on, but more is even better." In fact, that broad consensus has made it to Windows, where a Microsoft Support article "Create and use strong passwords" includes these basic password recommendations: The privacy-focused folks at Proton (makers of Proton Mail) argue that a password composed of 15 characters generated randomly by a password manager should be "out of reach of modern computing capabilities." Or maybe you shouldn't use a password at all, they conclude: "If you want to [url=http://proton.me/blog/how-to-create-a-strong-password][color=blue]create a strong password[/color][/url] using a series of words (a 'passphrase'), most info security firms recommend using at least four words that aren't very common. As more people switch to passphrases, however, hackers will get better at cracking them." Maybe you shouldn't worry about how many letters are in your password. Maybe the real question is how many words are in your passphrase. Just don't use "correct horse battery staple." That one's been taken. Follow this and more on OUR FORUM.  When you buy a TV streaming box, there are certain things you wouldn’t expect it to do. It shouldn’t secretly be laced with malware or start communicating with servers in China when it’s powered up. It definitely should not be acting as a node in an organized crime scheme making millions of dollars through fraud. However, that’s been the reality for thousands of unknowing people who own cheap Android TV devices. In January, security researcher Daniel Milisic discovered that a cheap Android TV streaming box called the T95 was infected with malware right out of the box, with multiple other researchers confirming the findings. But it was just the tip of the iceberg. This week, cybersecurity firm Human Security is revealing new details about the scope of the infected devices and the hidden, interconnected web of fraud schemes linked to the streaming boxes. Human Security researchers found seven Android TV boxes and one tablet with the backdoors installed, and they’ve seen signs of 200 different models of Android devices that may be impacted, according to a report shared exclusively with WIRED. The devices are in homes, businesses, and schools across the US. Meanwhile, Human Security says it has also taken down advertising fraud linked to the scheme, which likely helped pay for the operation. “They’re like a Swiss Army knife of doing bad things on the Internet,” says Gavin Reid, the CISO at Human Security who leads the company’s Satori Threat Intelligence and Research team. “This is a truly distributed way of doing fraud.” Reid says the company has shared details of facilities where the devices may have been manufactured with law enforcement agencies. Human Security’s research is divided into two areas: Badbox, which involves the compromised Android devices and the ways they are involved in fraud and cybercrime. And the second, dubbed Peachpit, is a related ad fraud operation involving at least 39 Android and iOS apps. Google says it has removed the apps following Human Security’s research, while Apple says it has found issues in several of the apps reported to it. First, Badbox. Cheap Android streaming boxes, usually costing less than $50, are sold online and in brick-and-mortar shops. These set-top boxes often are unbranded or sold under different names, partly obscuring their source. In the second half of 2022, Human Security says in its report, its researchers spotted an Android app that appeared to be linked to inauthentic traffic and connected to the domain flyermobi.com. When Milisic posted his initial findings about the T95 Android box in January, the research also pointed to the flyermobi domain. The team at Human purchased the box and multiple others, and started diving in. In total the researchers confirmed eight devices with backdoors installed—seven TV boxes, the T95, T95Z, T95MAX, X88, Q9, X12PLUS, and MXQ Pro 5G, and a tablet J5-W. (Some of these have also been identified by other security researchers looking into the issue in recent months). The company’s report, which has data scientist Marion Habiby as its lead author, says Human Security spotted at least 74,000 Android devices showing signs of a Badbox infection around the world—including some in schools across the US. More details available on OUR FORUM.  In his office at the VA hospital in Seattle, Dr. Nadeem Zafar needed to settle a debate. Zafar is a pathologist, the kind of doctor who carries out clinical lab tests on bodily fluids and tissues to diagnose conditions like cancer. It’s a specialty that often operates behind the scenes, but it’s a crucial backbone of medical care. Late last year, Zafar’s colleague consulted with him about a prostate cancer case. It was clear that the patient had cancer, but the two doctors disagreed about how severe it was. Zafar believed the cancer was more aggressive than his colleague did. Zafar turned to his microscope – a canonically beloved tool in pathology that the doctors rely on to help make their diagnoses. But the device is no ordinary microscope. It’s an artificial intelligence-powered microscope built by Google and the U.S. Department of Defense. The pair ran the case through the special microscope, and Zafar was right. In seconds, the AI flagged the exact part of the tumor that Zafar believed was more aggressive. After the machine backed him up, Zafar said his colleague was convinced. “He had a smile on his face, and he agreed with that,” Zafar told CNBC in an interview. “This is the beauty of this technology, it’s kind of an arbitrator of sorts.” The AI-powered tool is called an Augmented Reality Microscope, or ARM, and Google and the Department of Defense have been quietly working on it for years. The technology is still in its early days and is not actively being used to help diagnose patients yet, but initial research is promising, and officials say it could prove to be a useful tool for pathologists without easy access to a second opinion. There are currently 13 ARMs in existence, and one is located at a Mitre facility just outside of Washington, D.C. Mitre is a nonprofit that works with government agencies to tackle big problems involving technology. Researchers there are working with the ARM to identify the vulnerabilities that could cause issues for pathologists in a clinical setting. At first glance, the ARM looks a lot like a microscope that could be found in a high school biology classroom. The device is beige with a large eyepiece and a tray for examining traditional glass slides, but it’s also connected to a boxy computer tower that houses the AI models. When a glass slide is prepared and fixed under the microscope, the AI is able to outline where the cancer is located. The outline appears as a bright green line that pathologists can see through their eyepiece and on a separate monitor. The AI also indicates how bad the cancer is, and generates a black-and-white heat map on the monitor that shows the boundary of the cancer in a pixelated form. Patrick Minot, a senior autonomous systems engineer at Mitre, said since the AI is overlaid directly onto the microscope’s field of view, it doesn’t interrupt the pathologists’ established workflow. The easy utility is an intentional design choice. In recent years, pathologists have been contending with workforce shortages, just like many other corners of health care. But pathologists’ caseloads have also been mounting as the general population grows older. It’s a dangerous combination for the specialty. If pathologists are stretched too thin and miss something, it can have serious consequences for patients. Several organizations have been trying to digitize pathologists’ workflows as a way to increase efficiency, but digital pathology comes with its own host of challenges. Digitizing a single slide can require over a gigabyte of storage, so the infrastructure and costs associated with large-scale data collection can balloon quickly. For many smaller health systems, digitization is not yet worth the hassle. Full deatils are posted on OUR FORUM. |
Latest Articles
|