I’ve often been criticized for skimming over issues at a high level, or not explaining some of the technical nuances of security in greater depth. For those who know me, or have read any of my articles or watched any of my videos for any period of time, you may note that I do try and employ a method to the madness which has developed over time.
As a general rule, I usually only try to cover one topic at a time to allow a more focussed discussion. Yes, I wholeheartedly believe whenever I publish anything, I won’t have all the angles covered or know the answer. Neither do I pretend to be the ultimate authority on any particular matter. Rather, it’s the interaction, feedback and discussion that is generated that truly enriches any of the topics.
Secondly, I try (emphasis on try) to focus on making my content entertaining. My philosophy is that by delivered entertaining content, there is a greater chance of attracting a wider range of people to engage and if by doing that, I get one person to adopt better and secure practices, then its worth it.
Anyway, that’s out of the way. Let me draw your attention to exhibit A. I published a video on passwords http://youtu.be/AuG8azGuQQ8 . Much like my other material, it was light hearted, contained some bad analogies and ended with a little reminder for people to not share their passwords, re-use them and make them long and complex. From a user perspective that is probably more than enough to walk away with.
I’m not unfamiliar with disagreement, but a minority of people tend to, how can I put it, not be very eloquent. Take the YouTube user appletvplop who left the comment on my password video stating:
“Total crap. Make password long but not complex. Like a long password with padding. Google Grc haystack . Numpty .”
If he had paid attention to my video, he would have heard me say, make your password long and complex. But there are also reasons why putting too much effort into this may not be very effective and some of the flaws in simply relying on a long password using the haystack method.
Firstly, there are still a large number of websites out there that actually restrict the maximum number of characters you can use. Indeed some of them even restrict the use of special characters. So it becomes impractical to actually use a really long password. I’ve seen examples of banks with this restriction (you know who you are)!
Secondly, you’re only taking into consideration one attack vector and that is that someone who already knows your username is able to brute force or guess your password.
But if I were determined to obtain someones password, that’s not the only attack route I would consider. I would look into things such as:
Does the backend database actually store the passwords in a secure manner? A lot of breaches have occurred where the password databases weren’t encrypted or used a weak algorithm that could easily be reversed.
Is the traffic encrypted between you and the server? A man in the middle attack allowing me to sniff the network (or if you’re logging onto an insecure wireless network) would give me all the passwords in a nice clear format.
I could install a keylogger on your machine, either physical or software based. Doesn’t matter how long or complex your password is then does it? (including any malware that may capture screenshots or interactive control of your desktop environment).
Sending users an email asking them to verify their passwords is a classic phishing attack… and it still works!
If you forget your password and the application allows you to request a reset, how is this managed? If it asks a few questions like mothers maiden name and favourite colour and subsequently lets you in, your password is useless. Or maybe the application emails you your password in cleartext. Maybe one could just have it sent to an email account of your choosing.
Is there a phone number for customer support that you can call up and ask for the password to be reset on the phone? A bit of social engineering doesn’t hurt in the grand scheme of things.
Can a system administrator reset your password and login as you. Insiders have been known to pose threats.
I could go on…
The point being simply having a long padded out password isn’t enough. Because there are a whole multitude of things that should be taken into consideration before declaring something is the answer to all your security issues. It’s a security concept called ‘defense in depth’ of which a haystack may form one layer, you may want to google that.
Who’s the numpty now?
P.S. If you really want to get into the topic of password lengths, look up a discussion that’s been going on in Linked in the Information Security Group. The question is how long should a password be? it’s been debated for over a year and has over 1300 comments on it.