Security is one of my focus areas and is one area that often falls short but more often than not it is not due to poor policy and not poor programing. That’s right I said it. Yes, I do work for a software company… Yes I often blame hardware manufactures drivers for the blue screen of death and not Microsoft. Yes, I do admit that people get infected with viruses due to poor browser coding and poor coding of plugins.
BUT, poor security practice makes you a lot more insecure than most coding problems. For example if I can call your helpdesk, say I am you, and your helpdesk will help me get connected to your network then you have a huge security problem. You need to have some policy in place to make sure that you can identify you are who you say you are. The larger the organization the more susceptible they are to this social engineering attack.
What I believe is one of the biggest issues in security practice today is the password. It would be great if we could get to another security solution that uses something other than passwords like smart-cards. This way someone can’t login as me unless they have the smart-card and my pin. This is what we use at Microsoft in addition to Direct Access. Another bad security practice is telling people how you secure your network that just helps them know where to start looking for holes in the armor. 
Passwords are insecure often because users have to remember them so they choose easy passwords or reuse them. I have written about this before:
- http://mythoughtsonit.com/2011/02/passwords/
- http://mythoughtsonit.com/2011/08/dont-reuse-passwords/
- http://mythoughtsonit.com/2011/06/passwords-are-getting-easier-to-crack-with-gpus/
- http://mythoughtsonit.com/2011/06/the-10-immutable-laws-of-computer-security/
Even if you use a unique secure password for each site / login you should pay close attention to the length of the password. Currently for a bruit force password attack against a local password hash here are the times to try all combinations of possible passwords. I know this is a bit simplistic but the idea is the important part. Look at how quickly the time to crack a password changes with the length. With only lowercase letters you need to have at least 10 characters to have it even remotely secure. And if the hacker uses GPUs and multiple machines that may even change this table up a few characters.
Password Length | All Characters | Only Lowercase |
3 characters | 0.86 seconds | 0.02 seconds |
4 characters | 1.36 minutes | .046 seconds |
5 characters | 2.15 hours | 11.9 seconds |
6 characters | 8.51 days | 5.15 minutes |
7 characters | 2.21 years | 2.23 hours |
8 characters | 2.10 centuries | 2.42 days |
9 characters | 20 millennia | 2.07 months |
10 characters | 1,899 millennia | 4.48 years |
11 characters | 180,365 millennia | 1.16 centuries |
12 characters | 17,184,705 millennia | 3.03 millennia |
13 characters | 1,627,797,068 millennia | 78.7 millennia |
14 characters | 154,640,721,434 millennia | 2,046 millennia |