08 March 2021

Never Underestimate the Power of Human Stupidity

You don't think security is important. I know you don't. Most of you won't use a Password Manager, even though it makes your life EASIER. I have to remember exactly 1 password to get on every internet site, email site, my bank, my brokerage,... And it isn't because they all share the same insecure password. Former SolarWinds CEO blames intern for 'solarwinds123' password leak

I'm a bit behind on security news; this story is from the end of February. I hope to be current soon.

So blaming an intern is safe... they are gone at the end of summer... But then there is the fact that the PW in question was in-place from some unspecified time in 2017, until November of 2019.

The password in question, "solarwinds123," was discovered in 2019 on the public internet by an independent security researcher who warned the company that the leak had exposed a SolarWinds file server.

How many people knew of that password? Used it to log into the server in question? No one raised a red flag. (Oh, I like that PW; it's easy to remember!)

And you could say - you'd be wrong - that it is hard to guess, but the intern posted it on a PUBLIC github account. So not secure. At. All.

"I've got a stronger password than 'solarwinds123' to stop my kids from watching too much YouTube on their iPad," said Rep. Katie Porter. "You and your company were supposed to be preventing the Russians from reading Defense Department emails!"

Cluster. Fuck.

Password Managers: What are they? A database of passwords. It should be protected by a really secure password that you will never forget, and still not be based on dictionary words. (There are ways to build PWs based on dictionary words that are secure. They are very long passwords.)

I have to remember one password to get into my PW manager database. It remembers all the PWs to all the sites I visit, everything from the New York Slimes, and the LA Times, the FCC license database, which I only log into once every few years. The passwords it remembers for me are not easy to remember. They are 20 or 30 characters of gibberish, including numbers, lowercase and uppercase letters and special characters, which make it virtually impossible to break into my banking account. That PW has NOTHING to do with the sports team where I went to college, or my favorite MLB team, or my favorite movie or book or anything. I usually recommend LastPass to people who want a PW manager. I use KeePass, but that is certainly not for everyone! (I manage my own backups, on multiple media, offsite, etc.) LastPass manages that for you. DO NOT lose the PW to your password manager. They cannot save you from yourself.

Don't think that is an issue? Do a web search on "credential stuffing."

As for the quote that forms the title to this post...

“Never underestimate the power of human stupidity.”
    — Robert A. Heinlein, Time Enough for Love
at
Labels: ,

2 comments:

  1. Anonymous09 March, 2021 18:40

    My PW manager password is something on the order of:

    Mtnb,sat0b

    (Meet the new boss, same as the old boss) from Who's Next

    Easy for me to remember, has a special character, a number and a capital letter, and nobody in the world is going to guess it. Your favorite bible verse might serve you well; what the heck, a good Heinlein quote would do the trick, too.

    ReplyDelete
    Replies
    1. Zendo Deb13 March, 2021 11:22

      That is still one of the best ways to create a PW as long as you don't choose something too obvious. You can add a lot of entropy, and as you say, keep it easy for you to remember.

      Delete

Comment Moderation is in place. Your comment will be visible as soon as I can get to it. Unless it is SPAM, and then it will never see the light of day.

Be Nice. Personal Attacks WILL be deleted. And I reserve the right to delete stuff that annoys me.

Subscribe to: Post Comments (Atom)