Stop preaching about passwords

Some IT security “pros” seem to live in a bubble, telling “normal” people to go and use a password manager, to invent complicated passwords, a different one for each website, never to write them down… bla bla bla.


What they seem to forget is that most people are barely coping with their computers and apps. Most “normal” people hardly understand the difference between the password to unlock their PC and the password for Facebook or other websites. Let alone how cyber-attacks work. If you are chuckling about so much ignorance, I have run into great software developers in important web projects with no clue about the HTTP protocol, what was client-side, what was server-side (just happily ploughing on in their abstract coding framework).

Often they give impossible password advice, much like preachers to the poor peasants. Serious admonishing face, some nodding for extra effect: “You should never re-use passwords”, “You have to start using a password manager”, “Never write passwords down”. Crazy. I suspect they are not even walking the talk themselves.

Get real. Password managers are a pain to use. Even for the pros. Long passwords with complex characters and capital letters are terrible, especially on a smartphone. There should be better protection measures in place to prevent brute-force “guessing” attacks by strangers, like throttling (3 tries account locked for a while), adaptive authentication, and monitoring of suspicious activities and anomalies. Rarely does it matter how long or complex your password is. Because to get your password an attacker uses a phishing email or key-logging. And yes: Everyone re-uses passwords, all the time. Also the pros.

It is wrong to preach impossible advise and place the burden at the non-technical end-user, who has no time, no tools and no expertise, whose day-job is not IT or IT security: We should instead focus our effort and energy at the hundreds of websites and their developers who are too lazy to implement things like OAuth to connect to existing authentication systems. They are implementing a whole new password authentication system without having a serious security team like Google or Facebook has. They are taking the lazy (and dangerous) approach of asking people to create yet-another-password. It’s these websites that are the core of the problem. Single-sign-on and protocols like SAML and OAuth have been around for over a decade now. It is just not allright to implement a website and ask your customers to create yet another password before they can purchase a T-shirt. No matter how much you like long complex passwords yourself. And with these password strength meters you are only making things worse.

I think that the IT security pros, instead of preaching impossible password advise, should really start blaming and shaming these “dear-customer-now-create-a-new-password-just-for-us”-websites. There must be colleagues of ours behind these websites. There must be auditors checking these systems. Let’s speak to them! This kind of lazy design choice puts customers seriously at risk. And I believe it is up to us, the IT security pros, to point the finger to the real problem: Users choosing bad passwords is not the problem. All these websites asking users to create new passwords, that’s what’s the problem. So we should not speak about good practices when implementing password systems, we should say it is simply bad practice to build yet another password authentication system.

I welcome your thoughts on this. I think there is a funny decision tree hidden in here somewhere.

P.S. To keep things short and simple I have left out a lot of technical details. First of all there is the updated NIST guidance on passwords cancelling a lot of the old ideas about passwords (such as password complexity and expiration). Read a nice summary here. Secondly, please read up about OAuth and try to avoid building your own password system altogether. Thirdly I would like to point out that there are many many complex security issues to deal with when implementing an online authentication system. It is NOT easy and requires a lot of thinking, designing, tweaking, and then a lot of work, by professionals, round-the-clock. There is an endless list of technical aspects you need to worry about: Storing passwords as salted hashes to mitigate breaches. Having sufficient entropy to prevent session hijacking. Implement adaptive authentication. Spot stealthy attacks like low-and-slow-brute-force attacks. Notify customers about suspicious activity in a safe way (your email should not look like a phishing email). Offer a 2-factor authentication system. Scan the web and the dark web for password leaks and dumps, e.g. on pastebin. Stay in contact with the CSIRT community about phishing campaigns. Be ready to warn customers about attacks and lock accounts. Have a helpdesk to handle locked out customers. Etc. etc. I believe only a few large organizations are able to do it securely, such as major multinational IT providers, maybe some national e-ID providers. Once you dive into the issue you will agree that you should NEVER re-create your own password authentication system, and that it is better to integrate with an existing one, for example using OAuth. Implementing online authentication is not trivial and it is not a matter of adding a password strength meter, or using some built-in functionality of a CMS or a coding framework.


Encrypted email is for nobody really


Encrypted email (PGP and/or S/MIME). Sounds so secure. But nobody uses it, and it is a security mess! This was illustrated again some weeks ago: A member of the Adobe Security team made a stupid mistake and published the private part of the team’s PGP key on a blog. What it means: With one stupid mistake they gave away the key to decrypt all emails they received in the past! Everything that was ever sent PGP-encrypted to the Adobe Security Team was now compromised. These were security experts!

Continue reading “Encrypted email is for nobody really”

10 reasons not to do HTTPS interception

HTTPS is the bread-and-butter of online security. Strong cryptography that works magically on all devices without complicating things for users. Thanks to innovative projects like Let’s Encrypt, adoption of HTTPS is rising steadily: Mid 2015 it was at 39%, now it is at 51% of HTTPS requests.

Recent research shows however Continue reading “10 reasons not to do HTTPS interception”

CIA is overrated

CIA, the mnemonic for Confidentiality, Integrity and Availability, is often called the foundation, the heart, the ‘holy’ triad of information security. It is preached and practiced much like a religion. Sacred. Question its usefulness and you get angry looks. Some have said that one other item should be added to CIA: Non-repudiation or accountability.  Continue reading “CIA is overrated”

Attack trees

Here is a tool every security expert should use now and then, in my humble opinion: attack trees. Attack trees are really something that comes from a technique in industrial safety engineering called ‘fault trees’ and it is related to dependency analysis using directed graphs. But it can be very useful when modeling threats in complex ICT systems – like an appstore/smartphone ecosystem. See for instance the attack tree in this paper on appstore security (see picture below).Attack_tree_appstores_threats Continue reading “Attack trees”

Defining Network and Information Security (NIS)

Cyber security is arguably a buzz word. It is often used in a very broad sense, often in a non-specific way: “Cyber security must be improved!”. But in recent years network and information security has become part of legislation (both at EU and national level), and especially in these cases it becomes important to be more precise. So what are possible definition of network and information security”? In this post I will go over some possible definitions:

Communications security and computer security: Network and information security means ‘security’ of the networks (or network systems) and ‘security’ of the information systems. In other words, Network and Information Security (NIS) includes communications security and computer security.

Works as expected: The word “security” in normal language means “to be assured of something”, something good: So network and information (system) security is about making sure that network and information systems work as expected (in a good sense). This implies that security is closely related to usability (user interface design, accessibility), standardization and system development (requirements analysis, software development). Think: The hot water knob is always on the left. Continue reading “Defining Network and Information Security (NIS)”