Human memory, or the lack of it, is the biggest security bug on the 'net
For pity’s sake, stop reusing passwords
Usenix Enigma 2017 The life of the security IT professional would be a lot easier if people were capable of remembering enough passwords so that they didn't need to reuse them.
That was the considered opinion of Facebook’s head of security Alex Stamos and Google’s security princess (her actual Chocolate Factory job title) and Enigma 2017 conference co-chair Parisa Tabriz. The two held a fireside chat at the conference on Monday evening – complete with digital log fire – and chewed the fat over the woes of the industry with the aid of a very nice bottle of Ardbeg scotch.
“Password resuse, it’s the worst problem on the internet,” Stamos opined. “Once a website gets hacked the passwords end up in a database and criminals have gotten very adept at setting up software to try them out against other accounts.”
Tabriz agreed it was a massive problem, but suggested that the industry couldn’t blame users for what was ultimately a technical issue. While hardware access systems such as those implemented by Facebook last week were a step in the right direction, the industry still hasn’t found a one-size-fits-all strategy that works.
“We don’t have a really good, usable password solution for everyone,” she said. “We need more people working on these problems. It’s hard for not just technical reasons – people are a big part of that. It’s not that people are dumb – we don’t blame victims – but we should make web authentication easier.”
Stamos agreed, pointing out that if someone crashes an unsafe car into a wall at 50mph and dies, you don’t call them an idiot. But people need to be aware that trying to maintain a decent password regimen is essential.
Education plays a big role, she pointed out. When Google first introduced the Chrome padlock browser bar symbol to indicate a secure connection, testing with consumers showed that most thought it was a handbag.
While password management isn’t as sexy a topic as something like cryptography, in many ways it is more important, Stamos suggested. The industry was occasionally a little too focused on bigger issues like advanced cryptography, to the detriment of more mundane issues.
That said, Google has already begun testing its systems for a “post-quantum” world. The slow-but-steady progress toward quantum computing has cryptoboffins concerned, and Google has its own quantum system and is using it to try out new forms of encryption for the future.
Facebook hasn’t started quantum computing yet, Stamos said, but it was under consideration. The social network cooks its own crypto, as it doesn’t trust cryptography shipped by operating system makers and prefers to use its own.
One problem Facebook hadn’t been expecting, however, is that many people aren’t using it. He cited an unnamed developing country where Facebook found that half of the people were using a Facebook app that didn’t have Menlo Park’s encryption system employed.
“We found out that people go to the store for applications, hand over a buck or so and get apps copied to their phones by the storekeeper,” he recounted. “This allows them to upload in bulk because the amount people pay for mobile charges is so high, but they aren’t getting the legitimate app. We had to set up stands in the area to update folks’ phones.”
One possible solution to the human problem is to get a more diverse group of people working on security, Stamos stated. In the past, firms have been too willing to just find candidates that tick the usual engineering boxes. Getting more non-standard researchers has shown benefits. ®