Many people use generators to create strong passwords. In combination with tools that will automatically submit password on one’s behalf such tools are almost painless. For those that use Apple products it is possible to synchronize passwords across multiple devices.
Recent news of the Heartbleed bug have highlighted a flaw in the logic of strong passwords. Sure, they lock the 20 cm thick steel front door, but the paper walls and open windows of corporate security net remains porous [see which sites were affected].
Granted this may seem a bit strong; I personally know the effort and diligence of corporate security officers. They seek to anticipate all known attack vectors and put in place controls to mitigate. Yet their fundamental assumption is that the controls work. They are steel, not paper.
The Heartbleed bug exposes that assumption and demonstrates how weak it is. But it is worse; a lot worse. I’m not pointing to the issue that Heartbleed is a lot more widespread than software-based web servers, and includes many hardware-level network appliances. The concern is there are reports that the NSA has known about this for 2 years.
For those of a neocon persuasion this must be particularly troubling as in their belief system no government agency is as capable as their counterpart the private sector. What this means is that if the NSA could find this bug then so could other non-governmental agencies. Just think who they might be.
So let’s take this one steps further. If the NSA has built-in backdoors to many so-called secure sites (and then ask what’s the difference between a backdoor and Heartbleed from a controls perspective) then the question is how many more Heartbleed-like back doors are there and who else has discovered them and exploits these unloggable entry points. No one knows.
Leave a Reply