Recent headlines involving RockYou.com’s lack of simple password requirements and Twitter’s password phishing scams help remind us that no matter how advanced technology gets we can never forget the basic fundamentals of security.
The RockYou.com issues brought to light two big things. First, the lack of security controls in place within RockYou.com’s own systems starting with passwords being stored in clear text. Second, the lack of requiring people to choose somewhat difficult passwords allowed people to put in extremely simple passwords like “12345”. Of course storing the passwords in clear text trumps the use of simple passwords, since anyone within RockYou.com, or in this case, someone able to break into the systems now has all of the passwords regardless of how simple or complex they are. What I pull out of this, besides the complete disregard for security controls at all is that if you allow people to make poor judgment decisions, they will.
Twitter recently sent an email to several users of the system telling them that Twitter had reset their password because of concern that it had been compromised due to a phishing scam. That was very nice of Twitter to take the proactive approach of contacting its users and letting them know, but their email looked like a phishing attack itself. The email was nice enough to even contain links sending people to password reset page. Again, allow people to make poor judgment decisions and they will. In this case it’s all legitimate, but next time it’s going to be an email sent from someone other than Twitter, and include links that look like helpful Twitter links, but will in fact be another phishing attack. Twitter is helping perpetuate its own issue….and people will click on the links.
So that brings me back to never forgetting the basic fundamentals of security. Everyone has to protect themselves. We are all very comfortable using computers and surfing the web, and with that comfort comes complacency. We all need to take the time to think about what it is we’re putting on the web, and take the extra steps to make sure we protect ourselves by using complex passwords, different passwords on different web sites, and changing our passwords frequently. No matter how advanced technology becomes, no matter how safe a site looks, or how comfortable we are with sites we go to the only thing protecting everything we put on the web is still a simple password.
David Lingenfelter is the Information Security Officer at Fiberlink. He is also a contributor to the MeVolution Blog. David can be reached at dlingenfelter@fiberlink.com.