It has been said that the hardest type of IT attack to secure yourself against is Social Engineering. A computer can be secured against all manner of viruses and trojans by physically unplugging it from the wall (and removing the battery, if it’s a laptop). But a Social Engineer will simply call the janitor and instruct him to go plug the machine back in. One particular type of social engineering is what I call: Selfcial Engineering. This is when you yourself (or your IT department members) engage in blatant self-sabotage. No malice is needed, but once the attackers come, they’ll just love you for giving them such a hand.
The Military-Industrial Complex
I used to be a weather forecaster in the U.S. Air Force. And if anybody has their panties in a knot about password policies, it’s the U.S. military. Devising a password which meets the strict requirements of the 25th Operational Weather Squadron was about as difficult as solving a quintic equation while a two-year-old bangs the drums in the background. Well, except not quite. Put any set of fresh young airmen in that situation and they’ll independently discover a deep universal law every single time: the law of QWERTY123$%^ (try typing it out yourself). This discovery saves an astonishing amount of time and agony when you’re constrained by draconian password policies. Of course, it also makes life easier for the 25th Chinese Phishing Squadron.
Security by Sticky-Note
A general law of computer security goes like this: if you make life harder for hackers, you make it harder for legitimate users. If you make it easier for legitimate users, you make it easier for hackers. This suggests a Greedy Algorithm: make things as hard as you possibly can for users, and this will in turn (according to Greedy Logic) make things as hard as possible for the attacker. But this Greedy Reasoning fails to account for the Yellow Sticky Note factor, which I shall leave to the reader’s imagination.
The Lake Wobegon Effect
In Garrison Keillor’s fictional town, all the children are above average. Of course, this is a contradiction according to basic statistics. If a hacker wants to brute-force your password, the first thing he is liable to try is “password”, since this is one of the most common passwords. As a mental experiment, imagine that IT departments around the world got together and signed the No-Password-Password Treaty of the 21st century, all agreeing to forbid “password” as a valid password. Would this thwart the hacker? No. The hacker would no longer use “password” as his first guess. Something else would replace it as the world’s most common passphrase, and attackers would use that instead.
The cryptographical law known as Kerckhoff’s Principle says: “A cryptosystem should be secure even if everything about the system, except the key, is public knowledge.” I’m a bit of a maverick bringing up Kerckhoff’s law in a discussion about passwords– it’s usually brought up when talking about transmitting secret messages– but it should apply to passwords just as well as PGP keys. In the current discussion, the “key” is the user’s password. The point is, the security of the system should not hinge on the attacker being unaware of whatever password policy we’ve enacted. We should prepare for the worst-case scenario where our nemesis is able to find out what requirements we place on our users. If we require 3 special characters, 3 numbers, 3 uppercase letters and 3 lowercase in every password, the brute-force attacker will skip any attempts which don’t meet this requirement, and go straight to the most common password under this constraint (namely: QWErty123$%^).
Name-Brand vs. Off-Brand Passwords
One especially infuriating type of pword policy is this: “Your password is set to expire in 30 days. Please log in and reset it before then or we will have to lock you out.” This is the worst possible type of policy because it encourages all the worst behavior. Nobody is going to invest a lot in a luxury car if you tell them they can only keep it for 30 days. They’re going to buy themselves a QWERTY clunker.