What would you expect of a man who infiltrated dozens of US military and government computer systems in the mid-1980′s? Would it heighten your perceptions to learn that he sold his discoveries to the KGB? Or that, as the first black-hat ever caught and prosecuted, he was in many ways a pioneer in his field?
Would you believe me if I told you that he mostly just guessed passwords?
Oh, sure, he had the emacs mail-move permissions escalation vulnerability that gives Cliff Stoll’s The Cuckoo’s Egg its distinctive title; props for that one. But to even use it, first he needed to guess a password to gain at least minimal access to a system.
How does one guess a password? The hacker, Markus Hess, mostly tried common choices, guest accounts, and default passwords. In some cases, he used an automated program to guess all of the words in the dictionary. In others, he found the password stored on the system in regular old text, plain for anyone to read.
We know better today, of course. We have best practices. Had they been known and followed in the 80′s, Markus Hess would have been far less successful than he was. Passwords can be quite secure.
There you have it, then. Blog over. Use good passwords. Eat your vegetables. The end.
By the way, nobody follows best practices. A recent study found that only about 4% do. Even today, the most common MySpace passwords are “password1″, “abc123″, “myspace1″, and “password”. Anecdotally, everyone I’ve ever met, and I mean everyone, has at most four passwords they use for everything.
I’ve become convinced that there’s really nothing to be done. Secure passwords are impossible to remember. People will write them down, use the same ones everywhere, email them to each other, and generally make criminals’ lives easier. It’s not their fault; it’s a failing of the human brain. Twenty years after Markus Hess, passwords still fail, and they will continue to fail until something better replaces them.
Something must be found to replace the password, something secure that humans can actually use. As an optimist, I hope it can be done; I’ll be thinking on it. At least, the part of my brain not devoted to remembering long lists of secure passwords will.