The sticky note on the monitor with key passwords has become a cliché in security circles, and for good reason: Despite decades of advances in computing power, countless high-profile data breaches, and increasing user sophistication with computing in general, passwords remain one of the weakest links when it comes to security, and obvious mistakes still topple the otherwise best laid security plans.
And it’s not because users are stupid, as much as we’d like to believe it (Ok, passwords on the monitor is a little stupid). The root of the problem is actually bad design: We’ve asked users to do the impossible: Perfectly memorize long strings of random characters, that include not just numbers and letters but also symbols and punctuation; never re-use these strings; use them numerous times a day across various services; and not write these down.
To make matters worse, many policies ask users to change these passwords every six months or so, but on different schedules, so that users are constantly having to adjust and remember a wide array of arcane codes.
It’s a miracle things have worked as well as they have over the past fifty years; the first password was deployed in the early 1960s at MIT. Even their inventor, Fernando Corbató admits that they have become a nightmare, and they weren’t even very effective back then (In 1962, around the same time passwords were first deployed, they were were cracked).
Our decades long struggle with passwords is just one illustration of how critically important good design is to security, and how far ranging the impact of bad design can be. Yet, it’s a lesson that the infosec community has had a hard time taking to heart.
Just as in wars of yesteryear, it was widely explained that “loose lips sink ships,” today, sticky notes sink security, and bad design is often at the heart of the problem, because it makes it harder for users to do the right thing while making it easier for attackers to fool them into doing the wrong thing.
In fact, bad design was what made some of 2015’s biggest threats possible:
- Ransomware: One of the more embarrassing attacks if it is made public, individuals and businesses across America found themselves targeted by ransomware attacks this year, often having all their data encrypted right on their own device. The victim is then told they would only get access to it again if they paid a fee in Bitcoin. The FBI reported that, over the past year, almost a thousand companies had reported such attacks, collectively costing over $18 million. How does this financially devastating attack spread? By pretending to be a fake software update. Users are so annoyed by software updates that they often blindly click through and approve them, with little to differentiate a legitimate patch and a costly payload.
- Spear Phishing: Speaking of blindly clicking through, targeted phishing attacks continue to confound traditional information security tactics, and often play off fears stoked by IT in trying to prevent them. Two years ago, The Onion offered a wonderfully detailed look at how they were hacked in this way: After early attacks were detected and IT warned users to be on the look out, the attackers duplicated the same message, but this time with a “password reset” link that was hosted by a malicious page. Attackers took advantage of users being trained to trust IT, and the design of IT systems for both communication and prevention were easily mimicked.
- Data Leakage: Perhaps one of the most frustrating design-related security flaws is when users ignore IT guidance and use their own email systems, software, or other unapproved tools to get their job done. They often think that they’re committing a victimless crime, but it opens up huge gaps in IT security, and raises the possibility that IT can’t even know when data is compromised. This problem has been long simmering, but it bubbled to a boil this year when it was revealed that the AOL account of John Brennan, the Central Intelligence Agency director, was compromised. There’s a variety of reasons that even people who know better would use an off-site tool for their job, but it often comes down to the clunkiness of what the security team is offering. To paraphrase Jurassic Park, productivity will find a way — even if the cost is a major security breach down the road.
The good news is that there’s hope coming, which I’ll discuss in my next blog post.
Underwritten by HP and Microsoft.