For those of you going to TechEd this year, I hope we see you at the RD GrokTalks. I would define them here, but Scott Hanselman has already put it so well than I imagine I am best off linking to his post here.
Let me know what you think of the idea.
Just recently I talked about online password security and I referred to the way most sites on the Internet handle passwords as the Ugly in my “the Good, the Bad and the Ugly” slide. Most sites I visit not only allow me to put in a woefully weak password, but don’t allow me to set a strong one by my standards. Have you ever seen a website support pass-phrases by allowing really long passwords (say 50 or more characters)? Probably not.
So given my pessimism, I think the message is getting through. On a site called GamerFacts.net there is a post about the change in policy that Sony has made to their existing system that supports massive multiplayer online RPG games like Everquest and Star Wars Galaxies. To see the post and read the message sent out by Sony click here.
Lets hope this is just the tip of the iceberg.
A customer said today that they are using stored procedures so unless I knew of any other SQL Injection risks then they thought that was enough. The truth is that the answer is that this is true in most people’s minds. The problem is that this common mindset is exactly the kind of thing that aids hackers.
While using stored procedures or parameterized queries or any of the other methods to thwart hackers is not only highly recommended, but also an absolute requirement, I don’t feel it is enough. We are treating the symptoms, not the disease. If a hacker fails in their SQL Injection attack because of these measures then great, but we haven’t prevented them from trying something else.
Think about having the application try to detect such attacks even if you are impervious (which you probably aren’t in my experience) and when you detect this kind of attack then do something to hinder the hacker. Close their session, ban their host, crash their browser, whatever you can do to make it harder for them to move to the next step of their attack will ultimately help you.
I will discuss this topic more in future posts as I think there is alot left to say on it, but for the moment look at your existing web application in this light and see what you come up with.
The stereotype of the malware and spyware author is the lone disgruntled hacker who has squandered their talent on rage and hate. Sounds like the perfect villian for a melodrama. It turns out that the truth is much worse. The driving force behind most of this software is actually organized crime. An article on ZDnet yesterday details how this all works in a nice little overview. This seems to be just another wave in the process of hacking and anti-hacking becoming battles not between individuals alone in the dark, but between industries and governments vs. syndicates.
I just read an article which quotes Jesper Johansson as saying that we should reverse the long held truism that users should not write their passwords down for their own reference. Jesper is a well respected (though often contreversial) Security Heavyweight who has worked for Microsoft for some years. I know Jesper from events we both presented at such as TechEd Hong Kong and the New York Security Summit a year or so ago. I often read his advice and take it to heart, but this time I think we need to be less binary. I can see circumstances where you can make this case, but to just reverse the rule is reckless. We need training first and foremost. Have I seen a seasoned professional make this method of password tracking work. Yes, I have. But I have also seen users abuse the hell out of the loosening of such policies.
Silver bullets are few and far between in our space when it comes to security. We have trained most drivers to lock their car and carry the key along with them (don’t even attempt the keyless entry system argument, that is newish and doesn’t weaken my analogy). If you lock the key in your car or lose it then the world takes a healthy bite out of your convieniece factor in terms of cost and delay. If we just trained users to take their passwords as seriously then I think we would be OK.
I recently returned from Huntsville, Alabama where I gave a talk on passwords for developers. The article cites systems that allow only weak (read short and limited character set) passwords to be used. The number of examples of this from the web is staggering so I won’t bother. We need to go after this problem as well. Developers (and managers) don’t get that there are brute force attacks against web site logins just like there are for PC Operating System logins. They are much more mature than most people think.
My bottom line is that I don’t think you can make a blanket statement about something this nuanced and varied by group. I give credit to Jesper for saying shocking things to promote the debate (he has accomplished that), but I can’t buy in that we have a new and diametrically opposed truism to our old and long held on that users should not write down their passwords.