I was at a conference a year or so ago and watched a brilliant presentation by a Verizon scientist. His presentation was on virus patching. and he was making the point that our relentless multi-day patching is at best a waste of money and at worst it is making our systems less secure and less reliable.
At conferences, I feel as if it was worth attending for one bit of wisdom to carry forward. In this case, it was his words that I noted:
Doing the same thing, only better, is almost always a waste of money.
His presentation used car safety as an example. He showed how safety was vastly improved by a seat belt. A standard vinyl seat belt is strong enough to lift the car it is in. He said for $1000 you could put in a titanium seatbelt that would be strong enough to lift the building we were in. This titanium seatbelt would improve your chances of survival by 2%. He plotted a graph, showing the improvements from nothing, to kite string, to rope, to vinyl seatbelts and finally titanium seatbelts.
It was a masterful speech, so I was thinking sure, I'd spend $1000 to improve my chances of living. He then drew something along the lines of the graph above and marked that zone of "best practice" and spoke the line that I wrote down: "doing the same thing better is almost always a waste of money." Because he then drew a different line that showed how an air bag (duh!) costs only $100 but increases survival chances by something like 30%.
So, he was doing something different, not just the same thing better.
I remembered this as I am now having that loathsome term "best practice" thrown at me left and right. The latest example is password policy. I am told that best practice involves complex passwords that require:
- upper case letters
- lower case letters
- numbers
- special characters
Curiously, there is a limit of 6 to 12 characters. Six is too small a lower range, and 12 is also too small for an upper range. I pointed out that according to this "best practice" passwords such as Pass!1 followed by Pass!2 would be perfectly acceptable. That's the wrong argument, though. It just gets the auditors to add more rules (no password that contains contiguous letter similarities with the previous 100 password).
Human nature is such that nobody is going to pick a password like $fHY^*L MkL~ΓΌ. People will game any system that you make too hard for them.
I point out to internal auditors that certainly one "best practice" concerns itself more with password length than character set. "bestpracticesooftenisnot" would be an obscenely good password. It's 24 character length makes it, with current technology, uncrackable for more than a century. It is also something a user can remember, and so they are less likely to write it down. And on an iPhone or other small device, it avoids the giant pain (and inevitable mistakes) associated with special characters.
So my suggestion is a minimum password length of 15. Also, issue some guidelines to help people pick better rather than worse passwords. Perhaps show them diceware. I find that fascinating - even given a known list of only 7,776 words. a password of 5 words constructed with diceware, all lower case, is resistant to years of brute force attack. That would be another lovely thing to get past the "best practice" crowd - if a strong password is safe for years, why does policy force you to change it every 30 days?
The wisdom regarding best practice applies to much more than passwords, of course. So whenever you find someone talking about best practice, pause for a moment. What is really being discussed is an incremental investment. So the decision doesn't have to be obedience to such an obvious term as best practice (who would be against doing things the best way?). You have to rise above that and ask if the incremental investment will yield a reasonable incremental benefit. And then you need to look at all of the things you are considering, and pick the ones with the best cost/benefit. In this way, you may find your current practices may not be the theoretical "best", but they are good enough. This might result in you inventing the next airbag instead of titanium seat belts.
0 comments:
Post a Comment