Most of us have all been there and gotten all holier-than-thou to clueless newbies, but when is the last time you took a good look at all the cool little tidbits of security knowledge (or any other advice really) that you've dispensed recently and used it as a yardstick against yourself?
Recently, a forum I am on was owned: completely and totally compromised. While I'm not terribly active there, I can say that I was guilty of re-using the password on that forum elsewhere. When the admins sent the massive e-mail to all the forum members that the passwords were compromised, I had two immediate thoughts, in the wrong order.
1) Why weren't they hashed? If they were compromised, that means that the attackers got plaintext passwords!
then,
2) Holy hell. They have my password to maybe a half a dozen other forums where I use the same username. Easy pickings!
Granted, the password isn't used for any of my e-mail accounts, blogs or social media things. Still, I was re-using a password that I keep around for relatively low-security accounts that I really don't care enough about to bother coming up with different passwords for. That's changed now. It was a wake-up call.
A friend of mine got bit by the same attack, but was also re-using that password on more sensitive accounts. And I'm talking about someone who is generally pretty bright.
Guilty
We're all guilty of it. I know we are. We tell people to do as we say, but we turn around and do something else.
"Turn off javascript!" we proclaim. "Don't re-use passwords. Cycle them every xx days!" and "Don't trust open wireless!" but the next day, there we are: Logging into our accounts that all use the same password and cracking our laptops open at the airport without tunneling traffic.
Security is hard work, and in the end it's all about trade-offs: usually sacrificing usability and/or speed in the process of protecting ourselves. Too much security and it hinders our ability to get anything done. Too little, and we have quick access, but so might someone else ;)
This doesn't just include password re-use, or passwords in general. It's all the things you think you know, the advice you give that you fail to take to heart yourself. Do a search for "password" in your inbox, or heck, try searching your email for your various passwords verbatim. Take a look at the corners you cut in the name of usability. You have just as much to learn from yourself as everyone else does, I'd bet.
At any rate, this is just a quick note to remind myself (and you guys) that we might want to take a dose of our own medicine once in a while. After all, if our advice is good enough for our peers and users, shouldn't it be good enough for ourselves?
2009-07-29
Defense: Do as I say!
Posted by
Ax0n
blog comments powered by Disqus
Subscribe to:
Post Comments (Atom)