Friday, January 06, 2012

Errata for Errata security

Sorry about the title, best I could come up with late at night.

The blog post Passwords: uniqueness, not complexity from Robert David Graham (@ErrataRob) at Errata Security isn't bad, but it is not all that good either. Based on the recent - should I say ongoing - breach of #stratfor, Robert recommends unique passwords instead of having complex passwords. I would ask "why not both?". Let me explain...

Let us begin with the .. rumor .. that #stratfor got hacked due to lack of proper hardening and system maintenance. No, a blank password is not a bad password, it is evidence of incorrect installation and hardening, and a strong sign of weak computer security audits.

1. Long, complex, case-senstive passwords with multiple characters
That advice in the MSNBC article comes from Morgan Slain, CEO of SplashData. He actually recommend the  "use a short sentence" trick, which I've been saying for quite some time already. Actually I say "use a positive sentence, something that you WANT to remember". Passwords are a mandatory pain to most of us, something that users normally doesn't want to remember. Use something that you want to remember.

Robert David Graham says "That's wrong advice", saying that passwords should be unique instead. I'd say Robert is 50% correct. Why not do both long, complex & unique?

With a password manager (LastPass, Keepass, or your selection of similar software), you can create long, complex and unique passwords. Bonus point: you don't need to remember them anymore. Not that password managers are for everyone; mom would most certainly reject the idea of downloading, installing, and learn how to use one for starters. "Give me something that I don't need to learn anything about, just make it work for me".

My password for Facebook is both long & strong! but really not that difficult to remember, right?

2. "...little to lose if hackers guess it."
Except for the embarrassment of course, which in some cases should be seen as part of overall reputation risk. "If person X uses password as his password at hacked site X, who knows how that person will handle  & secure confidential data at other places?". Trust is hard to get, but easy to loose.

Another aspect is the eternal discussion of "I've got nothing to hide" (San Diego Law Review, Professor Daniel Solove examines the argument).

3. Three tiers of websites
First; I've got multiple e-mail addresses. Even if you compromised all of them, you would not be able to get access to all my accounts. There are services out there that doesn't (entirely) rely upon e-mail for account verification and passwords resets you know... Although very common of course, and an area of security where many do step into pitfalls.

Second (fact): MANY e-mail providers, including large ISPs, does not support encryption for pop3/imap/smtp communication, so no matter what your e-mail password might be, it is easily sniffed off your network. If you happen to use https to reach your e-mail it gets harder of course, but of course SSL is not broken, and we all trust every CA on the planet, right?

Third: the definition of tiers used. My primary e-mail is not accessed using webmail, I'm part of the old POP3 generation, although encrypted these days. I think the same applies to many others, if not running it off Microsoft Exchange or similar services.

Ranking e-commerce sites like Amazon etc as second on your list is .. weird. I say that from my Norwegian point of view: unless I'm acting as a complete idiot and give away my pin/password or OTP for my online bank on purpose, I WILL GET MY MONEY BACK if hacked. Heck, the technical implementation at my bank even allows me to use my username as my password. Pretty cool, huh?

The important thing you forgot with your tier definition is the sites that carry sensitive information about you as a person. Think privacy laws. At least here in Norway, my salary, my bank statements etc are "secrets", but we have 2 levels of personal information here. Top level: Race, sexual preferences, political view and memberships, religious views and a little more. Lower level: anything that can be used to identify a single citizen of Norway. IP address, phone number, you name it.

Based on those definitions, Facebook keeps more sensitive information about me than my bank. Who should have the better security? (and what does reality look like?)


Now this is very important for me to say: I completely agree with you @ErrataRob on your conclusion: "Your first password policy shouldn't be complexity, but uniqueness".

Using sentences you want to remember, I think one would be able to do both uniqueness, and complexity comes from length. (Password entropy calculation on anything up to length 8 is a lost case - length 8 can be rather easily broken, period).