Software support for password strength

Archive for January, 2012

Software support for password strength

Posted by

Xkcd is the QED of our industry. Want proof? Check out Randall Munroe’s comic on Password Strength.

Longer phrases trump mixed up passwords every time. “Correcthorsebatterystaple” will take significantly longer to crack than, say, “p@ssw0rd”. Given this, you might wonder why the industry has not changed to longer phrases. I blame the vendors. There are a number of apps that I support and websites that I visit that still limit passwords to 14 characters. Moreover, many explicitly for prevent special characters. Software support is a problem.

There are other problems, too. See today’s Dark Reading article for the pros and cons of using phrases.

Dark Reading: Passphrases A Viable Alternative To Passwords?

There is a wish among some enterprise users that they could institute phrases, but they’re experiencing a technology lag within the software and identity management worlds that stymies the urge.

“One reason (organizations don’t use passphrases) is the number of software applications that do not support long or complex passphrases,” says J. Wolfgang Goerlich, Network Operations and Security Manager for a midwest financial services firm. “Length and special characters seem to be a challenge for some vendors. Sometimes referred to as technological debt, many IT departments must maintain a suite of apps that have not been updated with modern security recommendations.”

The team, the tools, and the time

Posted by

“Want to find out how good someone is? Take away all their tools and say, ‘Now do it.'” — @SecShoggoth

Have you heard of Thomas Thwaite? He took a maker’s approach to toasters. By reverse engineering a £3.99 Argo toaster, Thwaite was able to build his own model. He smelted the iron. He melted the plastics. He may have argued with a volleyball named Wilson. I am not sure on that last point. But after nine months and £1187.54, Thwaite had himself a toaster.

A tweet by Tyler Hudak (@SecShoggoth) had me comparing toasters to information technology. Just what is a tool? Is it that application you are using? Fine. Let’s rewrite the app to show how good we are. But wait … what about the IDE? Is that a tool? No worries. We will use cat and bang the C code out straight. What about the compiler? What about the language itself? The OS? The computer itself? How about the motherboard and daughter cards? What about ICs? The transistor?

“If you want to make an apple pie from scratch, you must first create the universe.” Carl Sagan sums up the slippery slope we ride.

We live in a remix society. We — in the IT and InfoSec industry — work on the largest hackable platform in human history. Everything we do depends upon the work of others. Everything we make builds upon the tools of others. Every day we take from and give back to this hackable platform we call modern IT.

We can compare the new generation’s approach to IT as the Nintendo generation. Heck, they just download an app, point-and-click, and done. That’s not IT.

I recall folks lambasting my generation because we had a GUI. Heck, we had keyboards and mice. All we had to do was boot up, point-and-click, and done. That’s not IT. That’s not real computing.

I wager the generation before were heckled because they did not have to use punch cards. And don’t get me started about slackers who use transistors instead of vacuum tubes.

There is a certain rugged nostalgia for folks like Thomas Thwaite. People who toss aside the benefits of society to forge their own way are admirable. Equally admirable, in my opinion, are those who save time and money with clever hacks to the platform. These are folks that excel thru expert use of modern tools.

See, IT has become a team sport. The one man toaster and the lone sysadmin are throw backs. The way forward is mastery of your specific tool-set combined with a team of folks equally skilled in complementary tools. Give me a team, tools, £1187.54, and nine months. We will change the world.

Wolfgang

 

Note this article comes from a discussion on Twitter between@SecShoggoth, @RogueClown, and @LenIsham.@SecShoggoth blogged on expanding your skill sets beyond the tools you are comfortable with here: Tools and News.

Happy New Year 2012

Posted by

Welcome to 2012, and welcome back to my blog. Has the world ended yet? No? Still with us? Yes? Good.

Fifteen years ago, I was building high quality IT systems. Ten years ago, I was building high quality IT platforms. During the past five years, I have been building high quality IT teams.

This blog has evolved over the years along with my role in IT. My original focus in 2002 was on technical tips for Citrix, thin computing, and overall IT security. This shifted into business continuity and risk management in 2007. I focused on network architecture as a path for network security in 2009. Most recently, I have been writing about the management side of the equation.

In 2012, I will dig deeper into team work and team management. How do group dynamics play out in the technology field? What can we do, as a team, to deliver IT solutions with a high degree of quality and security?

I will also be doing more collaboration and group projects. This means more involvement with the #MiSec security group, working with the SE Michigan community to put on theBSides Detroit conference, doing a weekly BSides chat on the Rats and Rogues podcast, and presenting in West Michigan at GrrCon. Further, you can expect a new release of the SimWitty security tool.

Good things are in motion for 2012. Please keep your hands and feet inside at all times, and enjoy the ride.