How can i setup to always run a software as the password protected administrator?
We have a new Civil3D software extension/module whatever. But it only runs if you are the administrator, but of course we don't have that right. Is there anyway to give an user the right to run a software always as an password protected administrator?
submitted by vyrlok
YSK: Password Best Practices
I graduated from and work in cybersecurity. A good portion of my job is training the employees to the companies we are contracted to. Things like spotting malicious e-mails, social engineering, etc.
One area that everyone seems to think they are great in, but usually aren't, is passwords. One example I do in my training is put up a series of password pairs and ask the audience which password is "stronger" (depending on the clientele, I'll go into what hashing is and do demonstrations of cracking). The results always surprise me.
One of our SOC auditors wasn't even aware that NIST had updated their guidelines
a few years ago. I think this speaks to how comfortable we all think we are with passwords, when we really shouldn't be.
Now a days, your password is the key to your life. There are more malicious actors now than ever, using more sophisticated tools than ever. You should know how you can help protect yourself, starting with password hygiene. Password Patterns (Avoid These):
Things to Keep in Mind When Creating a Password:
- 77% of passwords containing a single digit append it to the end of their password. 10% of the time, an appended digit will be a "1" (includes data where more than one digit was appended). If the password has capitals, 15% of the time it will be a "1" \2]). Adding a 1 to the end of your password has become effectively meaningless for your security.
- To clarify the above regarding the 10% figure: The data set has passwords with varying number of digits ("pass123", "pass2134325", "pass1", etc.). Of all passwords which have any number digits appended, 10% of those only append a single "1".
- 35% of passwords requiring a capital letter will capitalize the first letter \2]).
- 89% of 7-character long alpha strings can be targeted by either capitalizing the first character or capitalizing the whole string\2]).
- 61% of passwords are the exact length of the minimum length set in the password policy\3])*.
- ~10% of users will model their password after their username\3]). ([[email protected]](mailto:[email protected]):Jsmith1)
Passwords in General:
- Length is more important than complexity\1]) . This does not mean complexity is not important, just that length is more important. Shoot for length first, then complexity.
- Avoid common substitutions, as they are baked into password cracking rule-sets. Common substitutions include: a = @, i = !, s = $, etc. Same with adding a 1 to the end of your password and capitalizing the first character. These are common patterns, and are well-known to crackers.
- Instead of thinking "password" think "passphrase". A single dictionary word is extremely bad. Four to five random dictionary words, perhaps separated by spaces or special characters, is robust. The benefit of a passphrase is that it is easier for you to generate entropy while still remembering your key. Generating entropy through randomized characters is hard, and results in a hard to remember password, meaning you will likely end up with less entropy.
- Avoid "password walking". This is using a password with adjacent keyboard characters (e.g. "qwerty", "1q2w3e4r", "1qaz2wsx", etc.)
- Avoid any password present on a password blacklist\4]). Ideally, this should be a baked-in process.
For developers and/or administrators:
- You should be using a different password for every website. At the very least, your e-mail password should be extremely strong and unique. If someone gets into your e-mail, they can simply reset every other password connected to that e-mail, regardless of how strong they are. Password re-use attacks are common\5]). I cannot overstate the importance of this one tip.
- SMS-based two-factor authentication (2FA) is better than nothing, but sim-swapping has made it inferior to other forms of 2FA and MFA.
- I, and my colleagues, and many others strongly recommend a (non-browser-based, audited) password manager. There still seems to be debate about password managers. I will only comment that most security professionals and government agencies encourage the use of them\6, 7, 8, 9, 10]). They are not a panacea. Use them in combination with other positive security habits, like frequent backups and 2FA/MFA.
Tools and Resources:
- Ditch password resets. There is ample evidence now that users change their passwords in predictable patterns (password1 -> password2 -> password3 -> pa$$word1 -> etc.). Additionally, if users know that they will have to change their passwords, they are more likely to create a weaker -- but more memorable -- password. Passwords should only be force-changed at signs of compromise. Overall, effectiveness of password expiration in meeting its intended goal is weak\11]).
- Drop the complexity song and dance. These restrictions will often force users into following one of the above exposed patterns of password creation, and there is little evidence that they increase password robustness (as they are currently implemented).** The "inventor" of password complexity rules has even apologized and admitted there wasn't much empirical data on password security at the time he implemented the rules\12]).
- Allow paste in password fields. This is less of a problem now, but there are still applications and websites which don't allow pasted passwords. Password managers are more ubiquitous each day. Don't discourage it.
- Check user passwords against an up-to-date blacklist of common/compromised passwords. There are several tools and implementations to accomplish this.
* Knowing the minimum length required by policy, and knowing that 61% of passwords are that length will significantly increase the speed of password cracking.
** There is ongoing research into the benefits of having multiple rules in a "pool", of which a few are randomly selected to be applied on a user-to-user basis. (e.g. Alice must include a number and be a minimum length of 10 characters. Bob must include a special character and a minimum length of 9 characters). Sources:
 https://i.imgur.com/zFyBtyA.gif (note: "Time to crack" can be misleading, as it is dependent on things like hardware, methodology, etc. This illustrates the mathematics of length > complexity only)
Edit 1: Clarified the comment regarding appended digits to passwords. 10% of the time when digits are appended to a password, it is a 1. This includes data where more than 1 digit has been appended.
Edit 2: Post is back up! Thanks mod team. Feel free to ignore all of the "where'd it go" comments, haha.
Edit 3: Added an additional bullet point further explaining the 10% statistic, as I've gotten some questions about it. Sorry about the confusion. Edit 4: Many people are sharing their personal methods of password creation in detail. Please be careful when sharing that type of information. You might be surprised how significant that information can be when combined with other data from public sources.
submitted by ieuaoqa