It was recently announced that 1 month ago perennial Stoss Blog antagonist Twitter had a security breach when a high ranking executive’s account was accessed by a “hacker”. The hacker correctly guessed the users’s secret security questions to gain access to the account then surfed through corporate data and released it to well known techie sites. As the hacker himself posted: He did this to make people aware of the importance of security.
The articles I have read have used this as an excuse to bash the practice of “1 password for all sites” and the use of easily guessed security questions like “hometown” or “mother’s maiden name” which are ubiquitous it seems in the land of web sign up sheets. It’s almost as if some assmonkey whose only knowledge of security was the aluminum key that locked his pansy-ass diary decided one day it would be great if we could secure our most personal data using such totally secret, impossible-to-find-out data such as our pet’s name or the street we live on! Yeah, no one would be able to penetrate that code!
But I don’t so much have a beef with this. It’s security practices in general, both corporately and personally that are appalling! We focus so much energy on enforcing ridiculous rules that are absolutely unsubstantiated and yet no energy on the flaws in the human logic of password selection.
Here are the fallacy’s behind my favourite policies:
1) Change your password every 3 months & don’t use the same password for 10 changes
The genius that came up with this should be shot in the chest simply because it is now become the most ridiculous belief since the Hayley’s comet morons killed themselves to ride it to utopia. Would you change the lock on your house or your car doors every 3 months? Hell! Most people don’t change them when they move or sell their car! How many previous owners have a key to your house do you think? I have never figured out the logic behind this absolute waste of time policy that does about as much good as putting duct tape over your monitor to stop UV radiation. If someone finds out your password, they aren’t going to wait for 3 months then go, “drat, foiled again!” when it fails. It only takes a few minutes to download the entire contents of your harddrive, so by the logic of preventing data theft we should change our password every 5 minutes, right? If anything this helps hackers, because people are not random! We get lazy and append a number or capitalize a different letter to form our new password, so a hacker can guess for months on end and, once he has “your pattern”, will perpetually have access to your account. And this is the reason why not using the same password for 10 changes makes no sense! If anything this encourages using mypassword0 through mypassword9.
I also love the idea of “3 months” and “10 changes” seemingly being industry standards. What possible study could have resulted in these numbers being determined as the “optimal” values?
I love policies that seem picked out of a hat and then spoken about like they are a gospel to the industry. As if 91 days is a magic number for a criminal to guess your password, so better change it before day 90!
2) Password strength monitors and post-its
“Don’t tell anyone your PIN”, “Never write down your password”, “We will never ask for your password in an email”. BUT what we will do is analyze every character and tell you if your password is “strong” enough. Strong enough for what? To knock out Superman? To cut a diamond? We are talking about basic mathematics here. A password of length 5 made up of all small letter only has about 12 million combinations, throw in one capital and it is about 60 million combinations. Throw in a number somewhere on top of that and you are now at 3.5 billion combinations! That is a pretty big number. But consider most companies/websites have a 3 wrong and you’re out policy (A policy that does make sense), that is a hell of a lot of attempts on your password and if you can’t figure out after the ten thousandth time your account was locked that someone was hacking you than you deserve to be shot like the guy who proposed the stupid policy above.
The thing here is that the combination of letters, number, capitals and special characters is almost irrelevant, the most secure password is random, entirely random. I am still using a random letter combination I got generated for me by Geocities when I had my first webpage over 12 years ago. Sure, mathmatically it is probably trivial for a random generator to exhaustively guess it, most personal computers can do 1 billion+ calculations a second. But the point is it ain’t that likely! Just don’t use a simple dictionary word like “idiot” or “password” and you are probably in good shape.
I also love how secure it is that we are typing in a password that no one is supposed to know, but it can tell you “how strong” it is, meaning somewhere your password characters are analyzed. How is that different than me saying “psst, tell me your password 1 character at a time and I’ll tell you if you need more numbers or capitals, but don’t worry, my mind will forget it immediately”.
And of course this is where post its come in. The problem is not writing your password down, it is writing it down in the context of your computer and login. For instance:
Stupid: Writing your password in permanent ink on your monitor
Bad: Writing your password down and placing it in the top right drawer at the office
Less Bad: Writing it on the birthday square of your mother in a day planner you keep with you that has no reference to what that random word could mean or what login is associated with it.
Even better. Hiding it in a tattoo on your ass, written backwards and upside down. Of course you’d have 10 of them and have to re-design it every 3 months….
Writing a random word and placing it in a random location is not a bad idea at all! In fact if anything it’s a safeguard in case someone needs access to your data!
Locking all of your secrets behind a single alphanumeric combination is as logical as locking a door to a convertable or keeping your safe key hanging on the number dial. However in this day of technology we have to have something to allow us secured access to our information, and until we all scan our eyes, fingers and ass prints into a global database or want to prick our finger for DNA each time we want to read email, we are stuck with it. Be smart and just don’t fall into the trap and think that your security policies actually have as much bearing on security as they do on wasting your time. Oh and I know your mother’s maiden name and eye colour, so don’t use those as your “secret” questions.
I believe the comet that people transported to was Hale Bopp. And the idea that a computer is testing the strength of your password is like someone asking you for your password is kind of ridonc. I mean, of course its not going to forget your password… it needs to know so you can actually log in. Add a little salt and you’ll be fine. Furthermore, as an IT professional (/cry) I would recommend all of the standard techniques as they make it hard to remember your own password and that keeps me in business. Don’t wake up sheeple.
Change your password every 3 months is one of my favourites, the other one we had to practice recently was a password of no less than 20 characters. This makes the password significantly less secure because you’re now restricted to something easy to remember that’s long. Which is easier to hack, or it gets written down somewhere.
It’s a hard drive encryption login on boot, so the only way i could remember it before coffee is by setting it to “please let me on my computer”.
Also, who from Google is reading your blog? I see Mountain View “arrived” in your live feed.