We have met the enemy and he is us!

We Have Met The Enemy And He Is UsCartoonist Walt Kelly most likely never heard of E-mail, ARPANET or logging in but he rivals Nostradamus when it comes to IT security.

Daily, I’m amazed at the number of security holes and vulnerabilities in IT systems that are not the result of bad code but are directly the result of bad practices.  There are many examples of perfectly secure IT systems which are rendered about as secure as a Madoff managed retirement fund when placed in the hands of their administrators or users.

My biggest pet peeve at the moment are clear-text passwords.

To be clear (no pun intended), I’m not referring to passwords being stored in clear-text format or whether or not they are encrypted when traveling a local network.   I’m referring to passwords sent as clear-text in E-mail.

We have met the enemy and he is us!

Unless I’m really missing something, I see no point in requiring an eight character password in which no two characters can repeat, one character must be a capital letter, another must be a digit and I can’t reuse any of the previous dozen or so passwords when the web site I just logged in to sends me back my password in clear-text!

Most of the sites I’m seeing this happen with are, of all things, HR related.  Yes, that HR… Human Resources.  These are the sites that process personal information including, in some cases, social security numbers.

Looking for a new job?  Create a profile on our site, be sure to include your full name, address, phone number, etc and then we’ll send you back a confirmation with your login ID and password in clear text so that anyone capturing E-mail or using a packet sniffer will have full access to your profile.

Need to access your benefit information?  Create a user ID on our site, be sure to include your employee ID number and we’ll send you an E-mail with your login ID and password for future reference.

This isn’t far removed from the thousands of people storing their passwords on sticky notes under their keyboards except that I never asked anyone to send my credentials back to me in an insecure E-mail.

I realize not every site operates this loosely but there are plenty.  It seems as if no one is bothering to validate their systems holistically.  They concentrate on whether the daemons are running on locked down platforms with secure sockets and infinite logging but they neglect to review how these systems operate.

Simple architectural reviews and guidelines can eliminate these and other vulnerabilities.  The question is who is minding the store?  No system should be designed or created which sends clear text passwords back to its users.  Period.

Yes, we have met the enemy and he is us!


~ by Marc Hedish on June 23, 2010.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: