In the days since the STRATFOR breach, I initially gave the firm high marks in communicating with its user base after idiotically allowing all their data go bye-bye. I’m going to modify that stance a bit in another post – I now see that they have in fact fallen very short of what they could have done in some serious and substantive ways. I list one way below.
But in this post I am mainly speaking to the Information Security Digirati, the suckholes in the opinion bubble who have used the opportunity to become, to paraphrase J. Frank Parnell, ‘half-baked goggle-boxed do-goodies telling everyone that the reason they lost their credit cards was because they didn’t use an @ in their password.’ This is the same school of thought which makes everyone hate information security: “Security must be working because everything sucks, it’s hard to use and a pain in the ass.”
The reason that the STRATFOR breach occurred had absolutely nothing to do with users using STRATFOR or password or other forms of stupid passwords. The reason was that STRATFOR spent no time or energy on its information security, were bad stewards of my data and broke industry standards and guidelines as to the protection of specific data such as passwords, credit card numbers and personally identifiable information of its members. It systematically refused to address core, fundamental problems, despite claiming expertise in cyber OSINT.
That has nothing to do with my password strength, ace.
Now here come the talking heads. In Forbes, my friend Richard Stiennon actually goes so far as to blame the victims before blaming STRATFOR:
It is very important for everyone reading this to re-learn security 101. Anonymous has posted complete credit card records of those who subscribe to Stratfor’s publications, and 28,517 email addresses and cracked passwords. Reading through those lists is very educational. Well known security experts, executives at major networking companies, industry analysts, and government contractors have all had their passwords published on the text-file sharing site pastebin.com….The passwords revealed are an abject lesson in password strengths. Do you really think adding a number to the end of a word makes it a better password? optimus2, compaq23, Satellite1, kate29, magic78, chance10 were all easily cracked. Not to mention those that used: password, stratfor, chickens, bamboo, mentor, fishhead, trophy, chicago, or the lovely “kisses” or the beguiling “lovecakes”.
Forgive me, Richard, but tosh, balderdash and shame on you for implying that this was the reason for the breach. Not a single one of those bad passwords was responsible for the loss of the passwords themselves. I’ve written a piece talking about strong passwords for law enforcement, but I was advocating use of passphrases and anyway in the cases I was addressing, the bad passwords were the issue, the cause of the problems.
And I know they’re fun to write, babycakes.
But listen: the thing you call Security 101?
As it refers to password theory, it’s mind-thwackingly stupid; an epic fail; an exercise in what Einstein articulated as the very definition of insanity (see below).
Let’s review: for each of the scores of web-based services we use, we’re supposed to create a non-memorable, hard-to-type, unique string of characters comprising upper- and lower-case letters, numbers, and special characters.
Oh, and we’re not supposed to write them down.
What could possibly go wrong? Nothing, considering that we are forcing the users to skirt the security, so they behave exactly as expected! Walk through any large enterprise today and gaze in horror at computer monitors that look like the entry to a car wash, what with all the Post-Its flapping around the edges of the screen, each bearing a non-memorable, hard-to-type, unique string of characters comprising upper- and lower-case letters, numbers, and special characters.
Let’s try that on your car, shall we?
The passwords are the problem, yo.
We as a security community have so bollixed this up that a couple of weeks ago, when I took part in a non-academic project to roll out true two-factor authentication to a group of highly intelligent, highly experienced enterprise computer users, we had a shock.
The setup: Each member of this group was required to look at a plastic thingy which displayed a six-digit number, and when the thing they were trying to access asked them for a six-digit number, they were to type in the six-digit number they saw on the plastic thingy.
Ninety per cent failure rate.
That’s right, with detailed instructions and a help desk, nine out of ten of these college educated, privileged and experienced computer users failed to correctly input the thing which actually proved that they possessed the device which grants access.
But weh-hay! All of them correctly entered their passwords (which were in fact a large part of the problem which led to the breach which led to the introduction of two-factor in the first place). So for the passwords part, we had a 100% success rate.
From that anecdote, it would seem momentarily that we’ve made them good at using that which sucks, at the expense of making them bad at that which reasonably defends against unauthorized access. But no, it’s much worse than that. We’ve made them appear to be good at using that which sucks, at the expense of making them bad at that which reasonably defends against unauthorized access.
We did that by helping them (and by “helping” I mean “forcing”) to find shortcuts around any annoyance that the suckage presented, like having to remember stuff designed to be non-memorable.
An analysis of password strength of the STRATFOR corpus which is ultimately more meaningful to the community was published by Steve Ragan at The Tech Herald. It confirms that, using a free tool and having access to the corpus of passwords on a site frequented by security and defense professionals, all of them (and by “Them” I mean “Us” since I was one of the breached) use shitty passwords.
We started with a list of common passwords, followed by a list of names (male and female) in Arabic and Iranian. From there we used a list with the names of people in Congress, words from the King James Bible, common 2 character passwords, words from the book 1984, Australian words and phrases, terms taken from the World Fact Book, various computer phrases and jargon, programming-based phrases, and previously cracked passwords from Facebook, MySpace, Singles.org, Hotmail, and Gawker. Just over 7 minutes later, we had our first set of cracked passwords. In all, the Small Word List set yielded 25,690 passwords.
Passwords, I say again, are the problem, yo.
Oh, and not to go down the rabbit hole on STRATFOR, but the “free” year of dipshit moronic “service” they gave me at a company who I can’t reveal but whose initials are CSID, to “help” track how my stuff was abused – patently after the abuse. CSID demands that I use – wait for it – a non-memorable, hard-to-type, unique string of characters comprising upper- and lower-case letters, numbers, and special characters for each of the three STRATFOR accounts I’d had (and STRATFOR, of course, had not told these idjits the credit card numbers that were compromised, so apparently I was to, you know, enter randomly al the credit card numbers I have or something). Awesome. Now I have two new passwords out there. To get the tainted credit card numbers I had to ask a friend who was researching the data pile to tell me the numbers.
This morning I get an urgent email from CSID. It’s Urgent! In fact, it’s so urgent that they can’t even tell me what it’s about in an email! I have to log in.
I go log in, and it tells me that the email address I have registered with them (the email which was stolen the week before from STRATFOR) should be considered compromised.
I click on the link it gives me for Restoration - Oh! STRATFOR Contractor, help me overcome this tragedy! – and I read this sage wisdom:
If you have received an alert referencing one of your monitored email addresses, this indicates that a cyber criminal is selling or trading this email address and potentially your password as well. To correct this situation, follow the actions below:
- Change/update your password on all existing email and internet accounts you may have. Your password should be a strong format with a combination of upper and lower case letters, including special characters such as @,&,%,!. For example, bRo$NdoG726.
Get it? You see what they did there? They told me that the password I used had been compromised, so I should make another one. Remember that Einstein quote I mentioned? “Insanity: doing the same thing over and over again and expecting different results.”
What Is To Be Done?
Rather than continue to make the users do the stupid and useless things we as security professionals tell them to do, let’s remove them from the equation. First, some basic common sense in building web applications would be nice, as would testing regularly with competent people doing the testing. Don’t let this be the end: secure stuff properly on your end to protect your users. Stop being such a cheapskate and spend some money on your security people. Test your assumptions regularly by having competent people test them. Follow the instructions of what these people say – don’t just sweep them under the rug or plan it for the 2016 fifth quarter budget cycle.
Regarding passwords suckage, Hey! Allowing passphrases would be nice – I don’t know how much more secure a passphrase such as
Ooh, yo – this is my secret passphrase!
is than something random and stupid like
but I can tell you that it is a lot easier to remember, doesn’t force your users to fill their desk with Post-It reminders and, oh yeah, is harder to crack.
Then, let’s get two-factor to be a standard feature, as it can be on GMail. How? Everyone I know has a cell phone, let’s give them a little app. If only someone were to make a free, easy to use two-factor app which works on cell phones. Or even send the one-time code by SMS message.
So to summarize: Passwords are the problem. Stop blaming the users. Let’s get serious about securing this stuff.