Seriously. When will people (even security pros) ever learn? This is the IRC log between a few security pros who are involved in w00w00.org and BlackOps.org from an insanely long tour de force brag post that seemingly showed up folks from the big guns like Google, through security ISVs such Core Security through several security pros that I truly admire. I am not perfect, and honestly, I feel for these folks as it could happen to me, but weak passwords? OMG! Passwords seem to have cost one of them a great deal of money and time, irreversible data loss and
now involve sd law enforcement (update – see comments, this log is from the 1990’s I’m so duh that I missed that bit, but it still proves my point that passwords have sucked for a long time):
[14:41] <@rkl> shit. [14:41] <@rkl> whoever broke into blackops.org [14:41] <@rkl> when we caught them [14:41] <@rkl> they began rm filesystems [14:41] <@rkl> and removed my only copy of some photos i had of me and my fiance' [14:42] <@rkl> that i had up there for like 2 days while i reinstalled my OS [14:42] <@rkl> she's going to be sad about that [14:44] <@nobody> ur shitting me [14:44] <@nobody> who broke in? [14:44] <@rkl> we know. [14:44] <@rkl> luckily they were incompetent [14:44] <@rkl> however [14:44] <@nobody> bunch of savages in this town [14:44] <@rkl> because they tried to use blackops as a platform to launch attacks against a few corporations [14:44] <@rkl> now the FBI is involved [14:45] <@nobody> wonderful [14:45] <@rkl> me and murray couldnt' give a rat's ass [14:45] <@rkl> we back up blackops 1 time a month [14:45] <@rkl> to cd, now dvd [14:45] <@rkl> they got in through a weak user passwd [14:45] <@rkl> cause there were near 100 users [14:45] <@rkl> just normal users, so they didn't practice good security with their passwds [14:45] <@nobody> typical [14:46] <@rkl> we've had to turn over everything to the FBI [14:46] <@nobody> a system is only as secure as its users
In my previous post, my first item stated unequivocally that passwords are crap and first against the wall when the revolution comes? That revolution starts today.
Everyone’s New Year resolution has to be to change their crappy password (or in the rare case, passwords) for their computer to a passphrase (20 characters or more), install a password manager, and change all those crappy passwords into long (20 characters or more) random passwords for every single service. If your service doesn’t let you use > 20 character passwords, STOP USING IT. There’s something very dumb, wrong and insecure with that service.
I do not have a single password that is the same for any service on the Internet. Changing a password to me is extremely simple because I DO NOT CARE about any of them. I do not type them, I do not remember them. They are all at least 20 characters long, and occasionally way more if I care about the system in question.
Additionally, I have no truthful answers for the weak Q&A security backdoor on any system I use. What is your first pet’s name? Just try to crack fazEha*u@eJAM#!#6DafRatrAm6Q before the universe ends. p.s. I generated that one just for this blog entry. Don’t waste your time trying it out anywhere.
Passwords are insecure, always have been, always will be, and that goes double for the horrifically insecure Q&A backdoor that many sites insist upon who should (and most likely do) know better. Passwords are unsuitable even for this blog. Folks who say passwords are free or worse – “the norm” – are idiots and should be ignored whilst the rest of us get on with getting rid of them as Priority #1.
CALL TO ACTION!
If you are responsible for passwords on your site or service, the very first thing you must do when you get back to work is to call an urgent meeting with all stakeholders. The very first agenda item must be “We’re getting rid of passwords as of right now. How do we do that?” Don’t stop until you succeed. Your users will love you.
If you are a victim of passwords, you should ask “Why are we still using passwords? When will you get rid of them?”
Just Do it. Do It Now. I’m deadly serious.