Passwords. The bane of the internet.
Security is actually one of my favorite topics, because it doesn't seem to matter who I talk to, no one actually knows what they are talking about. Passwords are the cream of the crop in terms of hilarity for security.
Security is first and foremost just a staggeringly broad topic. What approach is right really depends on a rather insane number of factors. And yet, no matter where you go, you'll find an IT person who will stick to some arbitrary security protocol without any understanding of when such policies actually make sense. They are simply happy to be able to pronounce loudly that they are championing and industry accepted security policy.
To date, my favorite "chat" I had about security was a massive company telling me that it was absolutely unacceptable that we stored their SQL password in plain text in a config file. Some background, the software predates my time at the company by a long margin and usage of the SQL password can be found damn near everywhere in the code. Also, the application is server side only. So, while I can agree that it wouldn't hurt to encrypt the password, it was also an in-feasibly huge task.
But the real question to me was, why does this person care? Because his security policy demanded it.
Oops! You're an idiot. This was a large organization with a very rigid security policy. The file with the plain text password would only ever live on a server machine. And the only people with access to the server would be the same group of people who already had access to all of their passwords (probably also stored in plain text in files on their personal computers). So, my rebuttal was simple; if someone malicious has sufficient access to your servers to get at that file you're already screwed and the password we store (which need not even be a SQL admin by the way) should be the least of your concerns.
The moral of the story is, you already have a boat load of policies and network security protection around the server which is (or should be) many times stronger than any encryption we would be likely to put on the file anyway. Asking for an encrypted password in this sort of environment is like asking the bank to place your money in a cardboard box behind the big bank vault door. If someone had circumvented the other security implements and was hell bent on that file/password, this isn't really all that practical as an additional level of protection.
Internet password are just as silly. The winner is here is fixed length or max length passwords. The idea here is generally to stop users from using passwords which are too short. But it also stops people from having more complex passwords. Also, restrictions actually make the job of brute force hackers even easier. Anything which isn't valid as a password doesn't need to be attempted. So, on most sites you can ignore any potential password less than 8 characters long, any variant without a number and any variant entirely in one case. Granted, the lions share of potential passwords are still possible. But restrictions end up helping hackers more than users. They force users to come up with passwords that are harder for their creators to remember unless they store them somewhere else (likely less secure), or choose something predictable and familiar, which can be just as easy to crack as a shorter password.
And that is the crux of passwords. The safest place to store a password is in your head, and only in your head. But, if the rules force you to make something more complex you'll either store it somewhere less secure or resort to passwords which are predictable. So a numeric component might be the year you married or your first child was born, the capital letter will almost always be either first or last, and the characters will often be words, and ones with specific meaning such as a name, or hobby. The reality is that the above probably accounts for 90%+ of all passwords, and that just results in complexity rules that don't actually make the average password any more complex.
I'm always blown away by how few sites even support 2-factor authentication, password expiration and/or max attempts on a password which locks out the account until it is reset.
In fact, max tries on a password with a hard lock on the account is probably the most effective security tool on the planet for hackers.
Whether it is 3 or 5 or 10 attempts or even some higher number, it is likely more attempts than the average brute force attack will need to crack even a relatively insecure password. Many sites with lockouts only lockout within the cookie or reset after a time and don't even notify the user of the repeated failed attempts. It is just insane how stupid we are about security.
You don't need a huge and complex password that no one can remember. If, after 3 attempts the account is locked and a reset notification is sent via email which includes the nature of the attack, the IP and region of the attack and any other information in plain English, it should halt the majority of external attacks. Combine that with password expiration and you'll also eliminate most "domestic" attacks. External attacks being those made by entities unknown to you, and domestic being friends, family, coworkers, enemies or anyone who may know you and be interested in accessing your information.
Anyway, what brought this up was a bunch of people on Twitter being upset that some web forms stop users from pasting passwords because it discourages people from pasting in secure passwords generated by password generation software. What I found funny about this was that it seems like the opposite of cardboard box in a bank vault analogy. This is more like storing the key for the bank vault outside of it in a cardboard box. In this scenario you're passwords are stored in a file or program which is only as secure as your PC which in the case of most users isn't locked down like a well protected server. Most of the files with passwords stored in them are unencrypted, in an easily accessible place on the users PC. At most they are protected by a PIN or a less secure password (otherwise you'd need a separate file just to store the uber strong password for your password file).
Sure, these passwords are generally the sort that require a true brute force attack. But, at that point your password is likely just as secure or more secure than the sites themselves. In other words, the security you've created is largely an illusion, because that data and access is only as secure as the site hosting it. And hackers are much more likely to target the site than your specific account.
Not that I disagree. I also see no reason not to allow pasting of passwords. The funniest part there is that sites which do this rarely advertise it. And part of the reason to not allow pasting is actually to stop people from putting their passwords on the clipboard. Because guess what? Malicious software may have access to your clipboard. But if you don't tell people clearly that you can't paste your password, they'll still copy it into the clipboard BEFORE THEY FIND THIS OUT!!!! Thus completely defeating the entire purpose.
But here is the reality. In the workplace, many employees will simply share their passwords because most employees aren't tech or security savvy or someone will see them use the password. And the only practice which does anything to mitigate that is password expiry and in many cases it isn't often enough to stop this practice from potentially opening huge loopholes.
For home security, friends and family will either be able to guess your passwords if they aren't complex or you'll eventually slip up and they can access the password file while you're grabbing a coffee.
With regards to external hacking attempts... in a corporate environment, once they are in your network, you're probably screwed one way or another.
And, for a web site... unless you're a business, a celebrity, wealthy or have some social or political value, it is unlikely anyone will attack you specifically. It is MUCH more likely that the site you use will be hacked and your password compromised along with all or many of the other users on that site.
That isn't to say that there is no value to better passwords. But it is to point out that most people implement security policies or complain about with them with little to no thought about *how* a specific policy might be helpful or harmful and whether or not it even makes sense.
Security is first and foremost just a staggeringly broad topic. What approach is right really depends on a rather insane number of factors. And yet, no matter where you go, you'll find an IT person who will stick to some arbitrary security protocol without any understanding of when such policies actually make sense. They are simply happy to be able to pronounce loudly that they are championing and industry accepted security policy.
To date, my favorite "chat" I had about security was a massive company telling me that it was absolutely unacceptable that we stored their SQL password in plain text in a config file. Some background, the software predates my time at the company by a long margin and usage of the SQL password can be found damn near everywhere in the code. Also, the application is server side only. So, while I can agree that it wouldn't hurt to encrypt the password, it was also an in-feasibly huge task.
But the real question to me was, why does this person care? Because his security policy demanded it.
Oops! You're an idiot. This was a large organization with a very rigid security policy. The file with the plain text password would only ever live on a server machine. And the only people with access to the server would be the same group of people who already had access to all of their passwords (probably also stored in plain text in files on their personal computers). So, my rebuttal was simple; if someone malicious has sufficient access to your servers to get at that file you're already screwed and the password we store (which need not even be a SQL admin by the way) should be the least of your concerns.
The moral of the story is, you already have a boat load of policies and network security protection around the server which is (or should be) many times stronger than any encryption we would be likely to put on the file anyway. Asking for an encrypted password in this sort of environment is like asking the bank to place your money in a cardboard box behind the big bank vault door. If someone had circumvented the other security implements and was hell bent on that file/password, this isn't really all that practical as an additional level of protection.
Internet password are just as silly. The winner is here is fixed length or max length passwords. The idea here is generally to stop users from using passwords which are too short. But it also stops people from having more complex passwords. Also, restrictions actually make the job of brute force hackers even easier. Anything which isn't valid as a password doesn't need to be attempted. So, on most sites you can ignore any potential password less than 8 characters long, any variant without a number and any variant entirely in one case. Granted, the lions share of potential passwords are still possible. But restrictions end up helping hackers more than users. They force users to come up with passwords that are harder for their creators to remember unless they store them somewhere else (likely less secure), or choose something predictable and familiar, which can be just as easy to crack as a shorter password.
And that is the crux of passwords. The safest place to store a password is in your head, and only in your head. But, if the rules force you to make something more complex you'll either store it somewhere less secure or resort to passwords which are predictable. So a numeric component might be the year you married or your first child was born, the capital letter will almost always be either first or last, and the characters will often be words, and ones with specific meaning such as a name, or hobby. The reality is that the above probably accounts for 90%+ of all passwords, and that just results in complexity rules that don't actually make the average password any more complex.
I'm always blown away by how few sites even support 2-factor authentication, password expiration and/or max attempts on a password which locks out the account until it is reset.
In fact, max tries on a password with a hard lock on the account is probably the most effective security tool on the planet for hackers.
Whether it is 3 or 5 or 10 attempts or even some higher number, it is likely more attempts than the average brute force attack will need to crack even a relatively insecure password. Many sites with lockouts only lockout within the cookie or reset after a time and don't even notify the user of the repeated failed attempts. It is just insane how stupid we are about security.
You don't need a huge and complex password that no one can remember. If, after 3 attempts the account is locked and a reset notification is sent via email which includes the nature of the attack, the IP and region of the attack and any other information in plain English, it should halt the majority of external attacks. Combine that with password expiration and you'll also eliminate most "domestic" attacks. External attacks being those made by entities unknown to you, and domestic being friends, family, coworkers, enemies or anyone who may know you and be interested in accessing your information.
Anyway, what brought this up was a bunch of people on Twitter being upset that some web forms stop users from pasting passwords because it discourages people from pasting in secure passwords generated by password generation software. What I found funny about this was that it seems like the opposite of cardboard box in a bank vault analogy. This is more like storing the key for the bank vault outside of it in a cardboard box. In this scenario you're passwords are stored in a file or program which is only as secure as your PC which in the case of most users isn't locked down like a well protected server. Most of the files with passwords stored in them are unencrypted, in an easily accessible place on the users PC. At most they are protected by a PIN or a less secure password (otherwise you'd need a separate file just to store the uber strong password for your password file).
Sure, these passwords are generally the sort that require a true brute force attack. But, at that point your password is likely just as secure or more secure than the sites themselves. In other words, the security you've created is largely an illusion, because that data and access is only as secure as the site hosting it. And hackers are much more likely to target the site than your specific account.
Not that I disagree. I also see no reason not to allow pasting of passwords. The funniest part there is that sites which do this rarely advertise it. And part of the reason to not allow pasting is actually to stop people from putting their passwords on the clipboard. Because guess what? Malicious software may have access to your clipboard. But if you don't tell people clearly that you can't paste your password, they'll still copy it into the clipboard BEFORE THEY FIND THIS OUT!!!! Thus completely defeating the entire purpose.
But here is the reality. In the workplace, many employees will simply share their passwords because most employees aren't tech or security savvy or someone will see them use the password. And the only practice which does anything to mitigate that is password expiry and in many cases it isn't often enough to stop this practice from potentially opening huge loopholes.
For home security, friends and family will either be able to guess your passwords if they aren't complex or you'll eventually slip up and they can access the password file while you're grabbing a coffee.
With regards to external hacking attempts... in a corporate environment, once they are in your network, you're probably screwed one way or another.
And, for a web site... unless you're a business, a celebrity, wealthy or have some social or political value, it is unlikely anyone will attack you specifically. It is MUCH more likely that the site you use will be hacked and your password compromised along with all or many of the other users on that site.
That isn't to say that there is no value to better passwords. But it is to point out that most people implement security policies or complain about with them with little to no thought about *how* a specific policy might be helpful or harmful and whether or not it even makes sense.
Comments
Post a Comment