Password Security, How Does It Work?
I thought it was silly of Gawker Media to taunt world-plus-dog to test its IT security, only to be caught napping last year when its systems were compromised. But when your whole business is IT security, it's even more embarrassing to be caught reenacting the tale of the cobbler's children.
In that story, the cobbler was so busy making shoes for the village that his own children had to run around barefoot. This is-after being updated for the 21st century-pretty much what happened to security consultancy HBGary and its subsidiary HBGary Federal. From what I understand, one or more of the company's executives thought that it was a good idea to use the same password for Twitter, LinkedIn and the firm's content-management system. That became a problem after HBGary Federal's CEO Aaron Barr decided that he was going to try to infiltrate the hacktivists collectively known as "Anonymous." He was successful in doing so, but after revealing himself, apparently thought that his company was immune to retaliation.
But Barr's sloppiness with passwords gave his enemies enough of a toehold to allow them to break into the consultancy's e-mail server in early February and capture about 50,000 documents and messages. For the last few weeks, the two firms have been the butt of jokes, especially after HBGary posted a "pity me" sign in place of its booth at the RSA Conference in San Francisco.
Here's the thing that makes this situation even more amusing than the Gawker debacle: HBGary was soliciting clients by letting them believe that its team knew better than to reuse passwords among key systems. (I'm sure that wasn't actually in the pitch, but it was one of those things that you assume is there in much the same way that one assumes that a LAN uses Ethernet.) On top of that, HBGary had offered its services to Bank of America as experts in fighting back against WikiLeaks and in turn, Anonymous. This is the Internet's equivalent of waving a red cape in front of a bull; do it enough, and you're likely to be gored.
More likely than not, from some of the e-mail that I've seen that passed between Barr and one of his top coders, arrogance played a part in the debacle. The problem with the "can't touch this" attitude is that it's only valid while the people who want to take you down have better things to do.
I'm sure that the HBGary executives were thinking the same thing most of us do: "I'm kind of busy right now, and I'll change it to something stronger when I have a little more time." I've done that more times than I care to think about, as I noted in December when the Gawker story broke. Since then, I've become a little bit better at resisting the temptation to slap a quick and dirty password on an account. But I'm still doing it from time to time, as I realized the last time I ordered a cable from my new favorite vendor for such things.
I'm convinced that practicing password security in the
fashion that many security experts say we should is just too much bother for
all but a handful of people. "Easy to remember, hard to forget" only gets one
so far if the password has to be rotated every month or two. Maybe we really
are better off carrying around a piece of paper full of random characters with
a few real passwords embedded in the randomness. This "poor man's
steganography" has to be a better approach to password security than what we