Dirk Gadsden

Over the past weekend I divided my time between four things: I helped move the contents of a large U-Haul truck (filled to the brim) into a relative's new apartment, read up on the (parental discretion advised beyond this point) shitstorm of sites being compromised (Playstation, Nintendo, and most recently MySQL), worked for some quantity of hours on a neat project you'll see soon, and ate many, many small ham-swiss cheese-poppy seed finger sandwiches.

For the purposes of being relatively engaging and thought-provoking, I’ll skip the latter two of my weekend occupations and focus on the related nature of the former. Now, it may seem there’s little relation between moving a half-ton of boxes, furniture, & assorted accoutrements and large corporations having their web-facing infrastructures compromised, however, they are related in a very specific way: passwords.

This is going to be a bit of a logical stretch and semi-extended metaphor, but bear with me. The revelations of these security compromises should be prompting intelligent analysis (and possibly reform) of user-facing password methodology, however, the current attitude seems to be simplistic, reflexive reactions of the hack with foaming mouths shouting at the corporations for their ineptitude and calls for reparations. This is pointless, security in large corporations is like a free election in a 20^th-century fascist state, the corporation/20^th-century fascist government says it’s there, but everyone knows it isn’t. Developers will always write crappy code/make mistakes (some in different amounts; I could make a jab at the PHP community here, but I’m not), and the vulnerabilities resulting from that fact of life will always be exploited by nefarious parties, whether it’s a PHP newbie having his server “pwnd” or a Fortune 500 getting caught with its pants down in front of the world.

So, what lesson should be drawn from this? I’m not going to presume to be an expert in security, but I have read a handful of tomes on cryptography and Internet security, so I’m not uninformed either. With the proliferation of GPGPU computing and other advances in computational power, the assumption that an 8-character-plus password and a strong hash & salt will provide adequate security is no longer valid. Computational capabilities have progressed to the point where a 8-character password in a weak hash (MD5) can be broken with ease, and even a strong hash (SHA1) can be compromised fairly quickly.

With this context, I’ll return to the box-moving analogy. See, a weak password is like a generic packing box, it can be filled with random stuff, stacked easily, and moved about easily as well. A strong password is like a big armoire or heavy desk, it takes up a good bit of space, is not easy to pack in with other objects, and is most definitely not moved with any ease. A user’s brain is like a U-Haul truck, it can be filled with either a few strong passwords or a bunch of weak ones. Current password policy enforces this behavior, users use their weak, easy-to-remember passwords whenever they can, and have one or strong ones that they only use when forced to (and probably write down on a sticky next to their monitor). This condition has been commonly accepted for probably about as long as I have been alive.

The compromising of these large corporations’ systems provides an opportunity for us to reeducate users (and even each other) on the importance of breaking out of this bad-password habit. With the proliferation of smartphones, iPads, and other “Internet everywhere” devices, we—the developers—are presented with the opportunity to build a new generation of usability-focused password management tools that provide users with the ability to painlessly employ good password techniques without hassle. As it stands, even the best of password managers do not excel in usability for an uninformed consumer (don’t even get me started on the (admittedly quite functional) abomination that is Keychain Access). So instead of becoming enraged and yammering on and on about corporate fallibility and playing toss-the-buck, let’s go on the offensive against bad passwords, a campaign that we have a much better chance at winning than getting a corporation to admit culpability.