"Companies spend millions of dollars on firewalls, encryption and secure access devices, and it's money wasted, because none of these measures address the weakest link in the security chain."
– Kevin Mitnick
What is digital security? How do we define it in a way that we can grasp? What is reasonable expectation of security? Can we put a monetary value on security? And what are we protecting?
All of these are valid questions, and posed daily by security experts across the globe. Each person will have their own ideas and ideals on what security actually looks like. A quick Google search pulls up a number of books on this topic:
For the purposes of this posting, I'm just gonna stick to my understanding of security and not dive too deep into the theory and math behind it.
The basic level of security is the password. I don't believe I have to describe what a password is, because if you've made it this far into the internet, you've probably used one already. You wild beast, you!
Passwords, Watchwords, Passcodes, secret code, etc... have been around for a very long time. It was an easy way, to determine who was on your side. Approaching infantry would be confronted, and not allowed to proceed unless the correct password was given.
Nowadays you have between 3-5 attempts (on most sites) to type your password correctly. In those olden days of yore, you would get 1 chance, and if you were lucky they would give you another chance before you were turned away, arrested, or killed. Which, being killed would really ruin a person's day... or life.
In the onset of the internet, password policies have begun to run rampant. When we were all just starting to understand our dial-up modems and be at one with the beeping and screeching, we were only asked for passwords in the range of 4-8 characters. In those days, that was enough. There wasn't a prevalent concern with encryption cracking software and things were reasonably safe. You couldn't connect to another person's computer if it wasn't on the network already. So the only time a person was vulnerable was when they were actively using their dial-up slowness.
Fast forward to the year 2014, and behold the high speeds of FiOS, Cable, and other methods of broadband (up to and including satellite, and cellular bands). Now a common password policy has requirements like the following:
- Password must be at least 8 characters
- Passwords cannot be your account name (aka screen-name)
- Passwords cannot be your legal name (in whole or in part)
- Passwords must have 2 of the following 3 conditions
- There must be at least 1 capitalized letter as well as at least 1 lower-case letter
- There must be at least 1 number
- There must be at least 1 character (!,@,#,$,%,-,~, etc...)
Once you qualify each of these, you have yourself a password. Its safe to say that most websites/online based services that require password won't make you regularly change your password unless your account has been compromised, or an attempt to compromise your account has happened. However, in your jobs, schools, and sometimes your banks you have to change your password every month, quarter, half year, or yearly, and you cannot use the same password as X number of previous passwords.
In an ideal setting, a person's password will contain all the required items, and essentially be a string of random characters that can't easily be guessed by another person who may know you. But our world isn't always ideal, and sometimes BlackMustang1, BlackMustang2, BlackMustang3, etc... is the best pattern you can come up with.
Personally, being a PC tech, I often ask users for their passwords so that I can perform administrative functions from within their account. I've been given some passwords that are wildly predictable, but are technically permissible, because they pass every requirement. For example I've been given the following passwords: September2013, Nov152013!, ShitHead11, Ravens34, Tupac4eva!...
I can almost guarantee you that the passwords with month names in them were created within the month that is named, and can be assumed that the rest of their passwords will follow similar formats. The ones with numbers at the tail of the words, will probably count up 1 each password change. And the one with Tupac? My guess would be their next password is NBIGShotFirst!
But hey, who am I to complain? Oh, that's right... The tech who sees all these passwords (and more).
Recently my employer's head corporation decided to up the stakes and make password requirements longer, non-privilege accounts have to be 10 characters, and follow all the rules listed above, and privileged accounts have to be 16 characters and changed every 3 months while following all the above rules. To make matters even better, they want us to change all of the passwords on every account used in our plant facility. Many of our accounts are automated service accounts, logged into plant critical services on our servers, plant floor computers/thin-clients, and different things that are required to be running to make it all work.
In regards to changing all of our passwords, for us, we don't know exactly every place every password is used. We are fairly certain that when we change these passwords as requested, they will break systems in places we weren't even aware that these passwords were being used. In the grand scheme of this new plan, they want us to change EVERY password at least 1 time per year. AKA we get to break everything once per year. AKA we spend countless man-hours on changing passwords.
Which leaves me to wonder, what is the benefit of changing passwords that nobody knows off the top of their heads? All of our passwords sit behind a VERY robust firewall, segregated VLAN with strict Access Control Lists, and group security policy with intensive Active Directory control. I just wonder who had this bright idea? What was the metric they used to justify this many man hours? Did they consider the exponential amount of business risk they may cause if systems crash due account changes? Is there a monetary value on security? And when is that monetary spending on security (in man-hours, upgrading dated systems, and production downtime) too much to justify?
ANYHOW, I'll get off my tangent.
I have one of those privileged accounts, and in no way do I look forward to typing passwords that are 16 characters long on crappy server rack keyboards. I think I know the pattern I'll be using (and for the first time, I will be using a pattern... Not sure how to remember 16 character passwords otherwise).
As I'm sure some of you have already seen, XKCD already analyzed a real flaw in our normal password scheme:
To computers, the length increases the complexity, not the character assignment. This is simply because the computer shows no biased difference between 0 and o, 1 and I, a and @. These common substitutions are just as easy for a key cracker to break as any other character.
Like the quick brown fox jumping over the lazy dog in the gif at the top, security is only good if you are aware of whats going on.
Take the Heartbleed OpenSSL problem for instance. Any hacker with enough know-how could exploit the bug in the Heatbleed issue. With that, easy access to passwords, search history, e-mail, etc... But if you've been alive lately, you've seen the news, and have been inundated by the alarmist media who is paid to make you worry. If you haven't been savvy on the Heartbleed bug, you can catch up a bit of it here.
So, what does all this lead to? Why do we make such a deal about a false sense of security? Why do we lock away our lives behind a thin filter of words, numbers and characters?
Who knows. I'm more of a password pacifist. I've been using the same online password for the last 15 years. I only change it when password requirements on different sites make me. I have a made up word, that is based off of an early screen-name I once had. I have never been verifiably hacked, never had anything stolen, and never had to worry. I don't keep much important stuff online behind passwords. I'm sure if someone really took the time to fish down every nitty gritty detail they could find bunches of things they can exploit from me. But if someone is going that far to ruin my life, then they're probably an enemy IRL. And currently I have none. And if I did, they probably wouldn't be smart enough to crack into my accounts.
For me, its good to keep perspective on things. Security protocols are thrown out of the window when the storage media can be directly accessed (by a person who works for the company who stores those accounts). Security protocols are also moot when a 3rd party contractor is given direct access to the storage arrays. Security is a fantasy when you consider that the NSA has been spying on everyone for years with and without help from the companies you know and trust.
You can waste lots of time worrying about where you store your data, which passwords you use where, and how you can maintain online security, or you could accept the fact that there are many many hands (both digital and real) in your data. Some will have malicious intent, some not.
My suggestion? Be reasonable with your security measures. Pick passwords you can remember, but will be confusing to another person if they stumble accross it. Don't link too many of your accounts together (use segregated e-mails. Ex: 1 for social media, 1 for e-mail lists, 1 for friends and family). Don't waste your time fretting about every security flaw that you hear about in the news. Wait for suggested solutions before you panic and change your security.
Ultimately, live life in real life. Use online interactions as an extension of your life. And don't become part of the problem and hack accounts for malicious intent.
I'm sure there are people on here who are exponentially smarter than myself in terms of security practices... That said, this is the part of the show where I get off of my horse and open up the forums for discussion. Answer some of the following questions!
- What does your security policy look like?
- What do you do to protect your online presence?
- Do you share any passwords with a significant other?
- Is there anything that I've missed, or miss-stated?
"The computer was born to solve problems that did not exist before."
– Bill Gates