Rory recently spoke at a conference about ‘cargo cults’ in security. To summarize, these are ‘security best practices’ which people follow, as a kind of religious belief without ever really thinking about whether they are really valid in the context of today’s threat landscape. We don’t just see these implemented by info sec policies – but actually included as part of commercial products.
I came across a good example recently – I won’t mention the name of the product, but we were asked to review it as part of an external infrastructure, and it made me wince, not technically (it did after all run over SSL aka ‘military grade encryption’), but from the perspective of user account security.
So to start on a reasonable footing, it required a strong password with at least 8 characters, a special character and a numeral. It wouldn’t take my 20 character passphrase password (which frankly will be brute forced the day hell freezes over) because of these rules – and that started me getting annoyed with it. Then just in case you forgot your strong password, it also has a secondary secret which will be used in the password reset process. I noticed that the questions are not stellar, one of them is ‘name of first pet’ and another one is ‘favourite food’. The account locks after four incorrect attempts at the password which in my opinion is low for email – but again – ok so far.
So what is wrong with a system where a user has to have a good password and there is a reasonable lockout policy? Well in this case – the password reset process. Having forgotten the strong password and locked the account after three tries, the user clicks on the ‘forgotten password’ link. This takes them straight to a page where they are asked for the secondary secret. Entering a correct secondary secret allows them to set a new password, and after this they are logged in. So the secondary secret is exactly equivalent to the password – but instead of having a complexity requirement – it has no restrictions at all – it will in fact accept ‘p’ or ’1′ as a valid entry. And there is no lockout on it. So instead of attacking the strong password with account lockout, an attacker can just go for the one character secret with no lockout. Or better still, he can just go for a few guesses of favourite foods (chocolate anyone?). And of course because it is an email system, the username is the email address which is trivially easy to discover. There is no attempt at any out of band solution once the secondary secret has been entered (sending a password reset link to a backup account for example) – you just enter the secondary secret and a password of your choice and you are straight in.
But the thing that annoyed me the most about this system, was that having used this extremely insecure mechanism to let me login using my favourite food as a password – it then had the unmitigated gall to refuse to let me reuse my previous password. I’d love someone to explain to me where the danger of password reuse stands on a scale of 1 to 100 compared to alloing a one character account password which does not lock.
This was a cargo cult if ever I saw one and the perpetrators should have their souls devoured by the Great Old Ones….