An interesting little rumor recently made its way across the Internet. Twitter, the poster child for Web 2.0 social networking, has apparently been having some security problems. It turns out that the attackers didn’t need to do anything sophisticated at all. For at least one of their systems, Twitter’s admin password was, wait for it … password.

As an author of a well-known password cracking tool L0phtCrack, I have seen thousands of cracked passwords at a time, and I’ve got to tell you, this is not particularly surprising. I can assure you that the most popular password on the planet is indeed password, followed closely by things like:

• secret
• welcome123 (or other default passwords)
• qwerty, asdfg, (and other silly keyboard patterns)
• Porsche, Mercedes, Ferrari, etc.
• Red Sox, Yankees, Patriots, etc., etc., etc.
• Name and/or birth dates of loved ones, friends, pets, etc.

You get the idea. Password technology has been fundamentally flawed for quite some time, but with solid security practices, and the right training, it can still be used effectively if you know how. Unfortunately, most people don’t know how, even some of the ones who should.

Of course, Twitter’s comeback was that this was for a system that didn’t need to be as secure. I’ve got to be honest here. I’ve heard that one before – it’s called an excuse. We need to stop being afraid to come out and say, “Yes, there was a security incident. We were a bit lax in our security procedures and we have addressed the holes. We’re taking it seriously and correcting the mistake to lessen the likelihood that it happens again.”

As long as there are humans running systems, there will always be security flaws. Everyone makes mistakes, and some of those mistakes cause security holes.

But c’mon, password??? I’ve conducted security reviews for many large enterprises, and from what I’ve seen, when people make such basic mistakes, there are almost certainly far bigger flaws elsewhere in the system.

You see, passwords are just the tip of the iceberg. Building a secure system requires a very different mindset than simply “make it work.” And it is significantly more difficult if everyone on the team doesn’t have it. In my next post, I’ll talk more about the effects of the human factor in security and some of the biggest people problems.

–Rob Cheyne
rcheyne@securityadvisors.com

I’m constantly talking with people that are responsible for running Application Security programs within their organizations. These people often struggle with implementing effective training programs for their development teams. The most common issues that they face have to do with scheduling of developers and budget.

It turns out that Computer-based Training, or e-Learning, is a great way to address both issues and has other benefits as well. The challenge has always been finding e-Learning that actually works well. Safelight has been tackling this issue for the last 18 months and has released e-Learning based AppSec training that works.

Take a look at the demo video to learn more. If you’re interested in a full demo license to the training, send an email to training@securityadvisors.com and reference this blog entry.

We hope you’ll agree that effective e-Learning will increase the flexibility and reduce the costs associated with training your development teams about current methods for developing secure applications.