Everyone else is talking about it so I might as well add my 2¢. This article had “Seven Lessons Learned” (come on, guys, you think this is the first time for any of this, so instead of “learned” you should have said “not learned yet by everyone”). I’m only going to comment on a couple of these.
2. Watch for fast-moving SQL injection attacks.
Even though I’d been doing database stuff for 30 years I hadn’t had the occasion to use SQL (MS-SQL specifically) so in a new job where I needed it I was churning through manuals and examples just to pick up specifics. I would say essentially everywhere in those manuals was discussion of injection attacks. Now in fact I’d never heard of these attacks before, but the concept is exceeding simple and the cure is also simple, and anyone who even spent a couple of hours in RTFM got the point. It shows how illiterate some programmers are and how lousy the QA and security scans are at some place like Yahoo that these even still exist (security scans easily find these). It simply means Yahoo didn’t try and didn’t have very high standards for their programmers. Of course their defense is that the code came from a company they acquired – duh, don’t you think the first thing you might do upon acquiring a company is to at least run the security suites against their stuff. Inexcusable!
4. Require strong passwords.
Now of course there is only the most tenuous connection between getting cracked and strong passwords but I’ll forgive them since this is important even though it’s not one of the lessons learned at Yahoo. Many places are now doing this and in conjunction with item #6 is creating a mess for users. Not that the advice isn’t sound, there just needs to be a solution for the mess. Most people used to pick simple passwords they could remember, but requiring strong passwords means lots of people are going back to another bad practice and that is writing their passwords down, some time in Post-Its attached to the screen, other times in simple text files on their desktop. Yes, terrible, but also realistic. Human beings can’t remember 30 Yv4$lo#mM6+ type passwords that also change every month, what do you think they’ll do but write these down. Now there is an obvious solution but one that amazingly hasn’t been done (see below).
6. Consumers, practice tough love. Until businesses do learn, … Accordingly, use unique passwords for every website, so attackers can’t reuse credentials stolen from one site, … to access an account… Also consider changing passwords with some frequency…
Again sound advice but let’s consider both recommendations in #6 along with #3. So I have probably 30 places where I have to use passwords. So having strong passwords for each of those and changing them frequently, give me a break, can any person remember all that. No, so of course this advice, like dieting, gets ignored.
The simple fact is we need automation help to solve this. Da-ta-da, let’s see: 1) everyone is getting smartphones, 2) new smartphones support NFC, 3) smartphones are gaining solid security, like dynamic facial recognition (make silly faces at your smartphone so a photo isn’t enough to fool it) and voice fingerprinting (an old technology), 4) almost all computers have USB, 5) it’s easy to add software that can popup some UI as needed or most browsers support add-ins. So someone simply needs to invent a USB device with NFC, and the software on smartphone and PC, so any time you need a password the smartphone provides it by just bumping the smartphone into the USB device (building the NFC itself into keyboard would be better, but that would come once this got rolling). And the phone would tell you when to change passwords and in fact come up with good strong ones itself and with smart enough add-in to browser it would be simple enough to sync the actual change with the recorded passwords in the smartphone. Now since your phone might get lost and you’re then in a real mess, obviously we have a strongly encrypted file, with multiple personal questions as well (literally at least a 5 step login process) for a PC app with a backup file, or, perhaps, better yet, if we could really trust them, some cloud storage, again with really strong encryption.
The point is there is a technofix. It’s not particularly hard to do, although it should be done right by some respected security authority (like RSA, oops, RSA had its own breach, so much for the “experts”) rather than security amateur like me. It wouldn’t cost very much (hey, user, think how much getting your credit cards or bank accounts breached will cost) and it can be done with existing technology which then inevitably means it will get integrated in future devices.
So it makes one wonder why this hasn’t already happened. It’s not that clever or original to think of a solution so lots of other people are bound to have had this idea. But still we are so negligent about passwords after hundreds of these attacks over decades. Why?! Now if I were a conspiracy theory type, which in a few areas I am, I wonder it just might be, like it was with strong encryption (the PGP persecutions), that somebody somewhere doesn’t want this problem solved, can we think of anyone, does anyone come to mind (hint, hint, NSA and Cheney-type politicians). Well, let’s flush ’em out in the open, somebody invent this and then see who tries to stop it.
So instead of lists of recommendations that will be followed about as well as we Americans follow nutritional advice, let’s fix this the old-fashioned way, some gadget, some money, so we lazy slobs can have our cake and eat it.