What is the best password strategy to pursue?

When it comes to passwords, there are a variety of opinions.

And that is the problem. Most people choose password is based on requirements brought forced to them by the system.

Still, on password breaches, data analysis shows that most passwords are very weak.

When asking user is why they choose week passwords the common answer is that they can’t remember complex passwords, and H presents too much of a challenge for them.

Yet even choosing a supposedly strong password based on requirements isn’t necessarily the best solution.

I could go into the mathematics of Y system required, strong passwords are weaker than actually choosing a common phrase that you can easily remember.

And that brings us to the solution to having a strong password, Which is not only easy to remember but is mathematically even more complex.

Take a phrase that you can easily remember: the sun is shining in my street at house number 17.

Running a brute force attack on the passphrase like that is very complex. Yet, it is very easy for you to remember because it’s going to be difficult to forget where you actually live.

This is obviously only and example. However, it shows that complex passwords don’t have to be complex and such a way that they are very difficult for a user to remember. Plus, the typing of such information is very easy.

Let me know what you think about this password strategy which is been around for quite a while.

Cyber Insurance: What is a DDoS attack and how to mitigate it?

I don’t know how often I had to answer the question what a DDoS attack is. Yet one of the most prominent questions was when I was confronted by an insurance company offering cyber insurance products.

Together with a friend I run a cyber insurance brokerage. Obviously, the clients have to be signed by the insurance company. The products most of the companies have are crap.

And if they are not, their underwriting policies are… well, worth getting used to.

A client of mine operates a rather large e-business, particularly an e-commerce shop.

Like pretty much all of the e-commerce sites, this one was also concerned about the safety of their site, and wanted insurance if they got taken down.

We did my famous analysis of their operation and ruled out most of the obvious risks.

This would give me an easier stance trying to pitch it to the insurance company.

None the less, the first thing the genius underwriter tells me with a frown on his face is that the risk is not coverable because it’s an e-commerce operation relying too heavily on the income from the website.

His main argument, however, was that the risk of a DDoS attack was too big, before resting his case, and trying to send me off.

I asked him if he was even aware of what a DDoS attack was, upon which a large discussion erupted which was mainly focussed on me having crushed his ego.

However, it was fruitful from the angle that I was able to find a “noob” explanation to the issue, which I outlined by explaining to him that it was like a million people trying to exit an aircraft after it had landed, and all of them had to fit through the door. (very short version).

Against all odds, he understood what I was trying to convey to him; yet now came the bigger problem… explaining the solution fo fighting off a DDoS attack.

You see, probably one of the most easiest things to do is to put a content distribution network Infront of your operation. A CDN will take malicious traffic and deal with it differently than with legit traffic coming to a site.

So: bye bye DDoS attacks.

I told him the we could make this a prerequisite for the client to receive insurance coverage… yet the discussion was and burned.