An interesting little rumor recently made its way across the Internet. Twitter, the poster child for Web 2.0 social networking, has apparently been having some security problems. It turns out that the attackers didn’t need to do anything sophisticated at all. For at least one of their systems, Twitter’s admin password was, wait for it … password.

As an author of a well-known password cracking tool L0phtCrack, I have seen thousands of cracked passwords at a time, and I’ve got to tell you, this is not particularly surprising. I can assure you that the most popular password on the planet is indeed password, followed closely by things like:

• secret
• welcome123 (or other default passwords)
• qwerty, asdfg, (and other silly keyboard patterns)
• Porsche, Mercedes, Ferrari, etc.
• Red Sox, Yankees, Patriots, etc., etc., etc.
• Name and/or birth dates of loved ones, friends, pets, etc.

You get the idea. Password technology has been fundamentally flawed for quite some time, but with solid security practices, and the right training, it can still be used effectively if you know how. Unfortunately, most people don’t know how, even some of the ones who should.

Of course, Twitter’s comeback was that this was for a system that didn’t need to be as secure. I’ve got to be honest here. I’ve heard that one before – it’s called an excuse. We need to stop being afraid to come out and say, “Yes, there was a security incident. We were a bit lax in our security procedures and we have addressed the holes. We’re taking it seriously and correcting the mistake to lessen the likelihood that it happens again.”

As long as there are humans running systems, there will always be security flaws. Everyone makes mistakes, and some of those mistakes cause security holes.

But c’mon, password??? I’ve conducted security reviews for many large enterprises, and from what I’ve seen, when people make such basic mistakes, there are almost certainly far bigger flaws elsewhere in the system.

You see, passwords are just the tip of the iceberg. Building a secure system requires a very different mindset than simply “make it work.” And it is significantly more difficult if everyone on the team doesn’t have it. In my next post, I’ll talk more about the effects of the human factor in security and some of the biggest people problems.

–Rob Cheyne
rcheyne@securityadvisors.com