You can't secure what you don't acknowledge.SM

Friday, May 8, 2009

Good recap of RSA 2009

Here's a recap of some of the themes at the RSA 2009 conference...with Mike Rothman's bias of course. Funny how things haven't changed all that much.

Tuesday, May 5, 2009

Hilarious/ridiculous password requirements

I came across some very laughable Web-site password requirements with some sites I've used recently that I wanted to share. The need for us to use strong passwords/passphrases on the Web is pretty obvious. I also believe in balancing security with reality and not going overboard.

My first example is just that: overboard. It's AT&T Wireless. Check out their ridiculous password requirements:
Your password is case-sensitive and must:
- Be six to twenty characters in length.
- Not use characters other than letters and numbers (e.g. *, &, #, ", etc.).
- Not match your first or last name, or the combination of some or all of your first and last name.
- Not use your date of birth in any combination (e.g. MMDDYYYY)
- Not include the first four to eight digits of your wireless number.
- Not match part or all of your account number.
- Not match your MediaNet User ID
- Not be an e-mail address.
- Not have repeating characters longer than two (e.g. aaa).
- Not have ascending characters longer than three (e.g. abcd).

The irony of it all is that you can't use special characters like *, &, and #? These characters can make our accounts more secure - why can't we use them!?

I wonder how much AT&T Wireless spends each year responding to password-reset inquiries? They've gotten quite a few from me just trying to come up with a "secure" passphrase that doesn't include special characters. Maybe at least that cost balances out the ridiculous amount of money you know they're getting via their verbal diarrhea prompts that use up your minutes when you're leaving and checking cell phone voicemails.

The next one made me laugh out loud. Apparently has a policy against secure passwords as well:

The pop-up window says "You have entered a character that is not allowed for security reasons: %"

So, folks, getting back to what I often say about Web application security (and security in general). Unless and until we fix these basic security problems why bother going down the road of encryption, fancy input filtering, IPS, and so on?

Monday, May 4, 2009

You cannot legislate a result

By now you probably know what I think about security policies. Well, I recently heard Herman Cain say that you cannot legislate a result (the war on achievement comes to mind here) but you can legislate a level playing field. What a great quote.

Like I talked about here keep this in mind when creating/updating your security policies and keep this in mind when it comes to moving up and ahead in your career. Focus on on the long-term picture: what you're trying to accomplish and where you want to go. It will happen with enough sticktoitiveness...