Security is secured by the stupid
It never fails me that every day, the stupidity of the masses shows itself somehow… somehow painful.
Today’s first such instance regards a relatively major website that, apparently, upgraded its password security policy. I only found out about it because I now found myself locked out, for “unknown” reasons, being asked to “reset my password”.
Giving them the benefit of the doubt… maybe after not logging in weekly I was set inactive or something, I went ahead and followed their procedure… only to get another random error. GRRRRR! This was using Brave with standard defaults… ok, lets try turning off ad-block;…. oh look, it works now. Your stupid spyware is getting in the way… I hope the devil has a special place for your web designers.
Ok, so lets continue. Put the password back to what it was, and NOW I learn why…doesn’t meet current “security requirements”.
Now nearly every security breach is enabled by someone THINKING they had all the holes covered. Well, we are all human, and make mistakes, so that’s basically impossible… but the naivety in thinking that is not the case usually creates the downfall. Passwords aren’t guessed simply because they don’t have enough “special characters” or mixed case or numbers in them, unless they have a REALLY bad hashing algorithm (like only using the first two characters or something).
I think the best explanation is given by Mr Munroe over at XKCD:
(Original URL: https://xkcd.com/936)
The idiots that THINK you need all the “special” stuff to be “secure” are purely arguing from a limited viewpoint that opens a system up to additional vulnerabilities.
Consider:
- When you have something hard to remember, a normal human will write it down. That’s easier to find and steal in a lot of cases!
- If something is high security, like your bank password, etc, social engineering may happen while you are typing it. Say… your new significant other (a foreign terrorist spy yet unbeknownst to you) stands over your shoulder, carefully watching your hands as you type. An easily typed password, like Munroe’s correct horse battery staple, can be typed quickly, alternating hands used to stroke keys (e.g. first char ‘c’ is left hand, second char ‘o’ is right hand, third char ‘r’ is left hand, etc) to make it very hard to watch, and does not require taking hands off home row very far to press Shift or the like, something that most users won’t be able to do if they use ‘*’ (take one hand off home row for shift, the other to get to the ‘8′ key, and doing both slowly because muscle memory isn’t there).
On top of all of that, if your retry-back-off logic (read: the amount of time allowed between incorrect password attempts, or even number of incorrect password tries) permits you to enter enough tries to land on “hunter2” but not “hunter2!”, you may want to consider buying some pink paper and an axe for your security folks.
While this particular website didn’t use it, don’t even get me started on the terrorist web designers that try to keep paste from working (so I can type something in my password list, save it, then copy it and paste it into the web form).