Subduco

No matter how secure your systems are, everyone knows that the humans are the weakest link in the security chain.  So, what can you do to reduce the human-factor risk?

Many, many things.

But today I'm writing about not enforcing ridiculous password policies.

Users need to be able memorize their passwords, or they will write them down - inevitably on a Post-It note, stuck to their monitor, labeled "Password".

Examples of horrible policies I found while researching this:

• Must be between 5 and 10 characters long, contain one number, and one capital letter.
• Must be less than 7 characters.
• Must be longer than 7 characters, and include a number - and you can't use a number twice in a row.

These are ridiculous. One of those is from a social network, the other two are from financial institutions.

The same principles apply in corporate settings. Provide a secure password scheme that allows people to use the things that are typically memorable to them, but aren't easily defeated by a brute force / dictionary attack.

What does this mean?

Using an example:

1. A dictionary attack tries the word "cheese".
2. When that fails, it tries "cheese1", and so on.

So the solution for most environments can be as simple as:

• Require the password to be 7 characters long.
• Require it to have a number, somewhere in between the alpha characters.

Examples: "ch1942eese", "jo1992rdan", etc.

Oh, one more thing - forcing peoples' passwords to expire repeatedly in short intervals will almost certainly lead to them writing down their passwords. Stop.

Please, everyone, we need to put a stop to this horrid password policy culture. It's caused more compromises than most other channels combined.

The "system" in place for controlling how LEOs (law enforcement officers)
get their credentials is laughable at best.

Typically an LEO carries two pieces of identification, which they call "creds":

• A Badge
• An ID card

These are not nearly difficult enough to obtain.

There are no federal laws dictating how identities should be verified when someone orders new or replacement credentials. There also aren't any standards for what police credentials should look like.  Some of them look more professional than others. Some look similar to drivers' licenses, some look more like a cheap high school ID card. Most of them have much worse security mechanisms than traditional state IDs.

As a matter of free market, there are a limited number of companies which supply credentials to the enormous number of LEOs and LE agencies. Most of them simply require a fax on "department letterhead" or a similarly easy-to-defeat mechanism.

As long as it's this easy to order police creds online, there's a huge risk. Oh, don't forget your badge. And you'll probably want to be wearing the right clothes.

Subduco is a Latin word meaning "to take away stealthily."