It is difficult to make improvements in some system without an understanding of the problem that needs to be addressed. In the IT security world, we face many problems. It’s clear to me, though, that one of the main problems we have is, well, agreeing on what the problems are. A great example is a recent post I read by Rob Graham on the Errata Security Blog regarding the advice to use “strong passwords”. While the post itself is a good read, I found the comments to be much more interesting. Granted, the comments only involve a small number of people, but in my experience, they exemplify a broader issue in the IT security world: the objectively “right” approach to address some security challenge is determined by the perspective, experiences, and subjective judgement of each practitioner. In some ways, that’s a good thing. I recently listened to the book “Deviate: The Science of Seeing Differently” and in it, the author made the point that breakthroughs often only come when people don’t know that they shouldn’t ask a particular question. In other respects, it seems clear to me that we should not be in a place where there is such disagreement between whether the advice to use strong passwords is good or not.
In this particular instance, I suspect much of the debate stems from two things:
- lack of a consistent understanding of modern threats that face password-based authentication systems
- lack of a consistent view of what kind of systems we are trying to protect
I suspect, for example, that most people that come from large organizations will view weak passwords as much more of a problem than password reuse, whereas incident responders and those who manage consumer-oriented Internet services will see password reuse as much more problematic.
I hope and expect that this difference of perspective leading to different views is intuitive. What may not be so intuitive, though, is that our own views on the “objectively right” approach to address some security concern is colored by our knowledge and experience, and may not be a universal truth, and we should always be questioning ourselves, our beliefs, and our approaches to problems.