It's a recurring theme among security professionals: users are the weakest links. They're lazy and predictable when it comes to passwords. At a Jan. 30 panel at ShmooCon, the annual hacker conference held in Washington, some hacking pros discussed password security.
On the panel were Rick Redman, who coordinated DefCon's "Crack Me if You Can" contest; Martin Bos, a developer at the penetration-testing firm BackTrack Linux; Robert Imhoff, an analyst at chips provider Atheros Communications; and David Schuetz, a consultant at the mobile security firm Intrepidus Group.
Some takeaways from the panel:
- Strict password requirements designed to make systems airtight ("you must have an upper and lower case letter, and a special character") only make them more easily compromised. That's because people respond to password requirements in predictable ways. They tend to capitalize the first letter of their passwords, and then append it with a number or special character at the end. Does that sound familiar?
- It sounds counterintuitive, but it may actually be better to have passwords that are so complex you have to write down subtle cues on a piece of paper. Chances of losing your wallets are probably lower than being hacked on a compromised machine or third-party service. Especially if you work in the federal government.
- Don't reuse your passwords.
- Don't pretend that you aren't reusing the same passwords just by affixing different account names to the end of them. E.g.: "passwordFAIL_gawker," "passwordFAIL_twitter" and "passwordFAIL_gmail."
- The technology to crack passwords is getting cheaper and more powerful. Longer passwords need more computational power to crack.
- Educating users (through talks and lists like this) is all great, but getting people to actually change their practices is a pipe dream. Regular password audits may be good at calling individual employees out. Angry CFOs breathing down their necks also would work. Of course for maximum security, stop using the Internet.