What XKCD passwords comic teaches us about security as a whole
Passwords are the first aspect of computer security we think about (and for plenty of people, the only one). They are the first approach for most of us in cybersecurity: our first CTF challenges, brute force attacks on wifi connections, cryptography lessons about hash validations and more — they all revolve around them.
Nevertheless, there are a few lessons of high impact that might still teach us. They’re also the easiest ones to learn and apply.
The highest impact node
As a security measure, passwords are extremely efficient. For users, they are almost trivial to generate, and make a huge difference: there is no comparison between a password-protected system and a system with no protection at all. We could think of passwords as high-impact nodes in security systems, in the sense that they increase security at a much higher rate than the effort they take to use.
Security always has a cost, not only moneywise. It demands attention and time. It brings friction to processes that would run much smoother without it. For organizations, the benefit of security is the relationship between how much it costs and how much it saves.
Passwords are the paradigm of what security advances should look like: measures that maximize benefits at minimal costs.
How can we find them?
Once an organization has reached a certain maturity level in security, high impact nodes get harder to find. But that’s just how it works — the highest impact node usually lies in our blind spots.
There’s a principle behind this: if a chain is no stronger than its weakest link, then that’s the link to strengthen if we want a stronger chain.
In cybersecurity, the blind spots are everything that happens outside computers. Phishing, vishing and human errors are great examples: one third of attacks and data breaches have much more to do with well-rehearsed phone calls than with computer experts.
Even if security teams and experts don’t usually fall for such attacks, there’s still a side of security that’s not always acknowledged. To illustrate it, passwords come in handy again (and as usual, there’s a relevant XKCD comic to illustrate the point):
Let’s analyze the underlying idea:
- There’s a strictly computer-side aspect of password safety: Shannon’s entropy. What does this mean? That brute force attacks take an unfeasible amount of time if passwords are long and unpredictable.
- Computer systems usually have a requirement based on the computer aspect of password safety: to increase unpredictability, passwords should include uppercase and lowercase letters, punctuation symbols and numbers.
- There’s a blind spot on the human side of the system: passwords made of random symbols might be the most unpredictable but are also the hardest to remember.
- This blind spot causes a weakness: hard to remember passwords must be written somewhere, and they tend to make users “recycle” the same password in more than one account.
- Finally, a solution emerges from an integral understanding of the problem:
- The computer science side (specifically, combinatorics and Shannon’s entropy) shows that an increase in the number of characters increases unpredictability at an even higher rate than the introduction of punctuation and unusual symbols.
- Psychology shows that remembering four random words is at least as easy as remembering four random symbols, which makes the former much more memory-efficient in the search for password entropy.
This is a great example of how cybersecurity should work. The high impact node was found by an integral understanding of the problem: protection not only took into account the computer side, but also understood the protected system (the person) and was able to adapt to its needs.
Understanding the costs and benefits of cybersecurity for protected systems is the key to designing stronger strategies. Sometimes, the best answer is not to find new defenses, but to reduce the cost and friction of existing protection.
High impact nodes in our industry:
Some of the highest impact nodes in security right now lie precisely in optimizing existing protection, either by reducing the friction between security and regular business, reducing security costs or maximizing the impact of strategies.
- Vulnerability Management: Fixing every vulnerability at any cost is ineffective and impossible. The task of prioritizing solutions is a key aspect of effective security.
- DevSecOps: Introducing security to software development iterations reduces the friction between security and development. It avoids the dilemma between deploying an insecure product or postponing the launch because a now-hard-to-fix security bug has been found after testing.
- Orchestrating tools: A high visibility of your attack surface is key to making security agile and reducing reaction time. However, the number of scanners and security tools available in the market is overwhelming, to the point that some teams end up sacrificing coverage for simplicity. Platforms such as Faraday help us make sense of different tools, integrate them, and adapt them to the needs of each organization.
- Automation: Expert’s security time is costly and extremely valuable. Every activity they carry out which may be automated is of high security impact (even if it’s not strictly security related, such as building reports).
- Risk based analysis: Getting to know your team’s capabilities and the expected economic impact of your vulnerabilities is a crucial aspect of designing an optimal security strategy. Since the key in security is efficiency, bringing the economical aspects of security into the scope of analysis is the way to go.
Passwords are ubiquitous and efficient. They have been with us way before computers existed, and (who knows) they might even survive them.
They teach us a deep truth: the best computer security may only be achieved if we also look outside of computers and into the workings of the systems we protect. Only then high impact nodes will be revealed, and efficient security accomplished.
Are you interested in our products? Check out our free version, right here. ⚡🚀