Software architect and Microsoft MVP, you’ll usually find me writing about security concepts and process improvement in software delivery.
What do you think of when you see this little guy on a webpage:
You’re probably thinking something along the lines of “it means the page is secure”. The more tech savvy among you may suggest that it means HTTPS has been used to encrypt the content in transit.
The problem is that it doesn’t mean anything of the kind. In fact it had absolutely nothing to do with website security. And therein lies the problem – the padlock lies to us, it implies things that it is not and it’s downright misleading.
A little while back I took a look at some recently breached accounts and wrote A brief Sony password analysis. The results were alarming; passwords were relatively short (usually 6 to 10 characters), simple (less than 1% had a non-alphanumeric character) and predictable (more than a third were in a common password dictionary). What was even worse though was uniqueness; 92% of common accounts in the Sony systems reused passwords and even when I looked at a totally unrelated system – Gawker – reuse was still very high with over two thirds of common email addresses sharing the same password.
But there was one important question I left unanswered and that was how people choose their passwords. We now know that structurally, passwords almost always adhere to what we would consider “bad practices” but how are these passwords derived in the first place? What’s the personal significance which causes someone to choose a particular password?
It turns out there are some very recognisable patterns in the data. In fact the vast majority of passwords adhere to just a small handful of common selection practices. This is interesting research in that it begins to give a bit of insight into the thought process of the individuals who create passwords which conform to weak structural guidelines.
Today I had cause to take a slightly different direction with a database that had stood for many years providing a fairly critical business function. The change of direction involved dropping a few columns out of a core table with references across an unknown number of procedures and views. What could go wrong?!
So my conference presentation on the tyranny of evil is now done and dusted at DDD Sydney. Given I’m writing this in advance with the intention of making the material available immediately afterwards, I’ll need to rely on others to comment on how it all went. The important bit is that the slides are now available here and all the code used in the examples is here.
Note – so as to save myself from the tyranny of potential litigation, the evil dudes on each attack slide have been removed. Use your imagination :)
All original becuase I'm fussy and you just never quite get exactly what you want from a Blogger template. Besides, the left side of my brain rarely gets out these days and it needed the exercise.
Opinions expressed here are my own and may not reflect those of my employer, my colleagues, my mates, my wife, the dog and so on and so forth. Unless I'm quoting someone, they're my own opinions and may not necessarily be cohesive nor entertaining but hey, at least they're original.
This work is licensed under a Creative Commons Attribution 3.0 Unported License.
