Argumentum ad antiquitatem

This post is not in Latin, but essentially a call to the Information Security industry to end policies based upon argumentum ad antiquitatem, which includes:

  • Password change, complexity and length policies and standards that simply don’t make sense in the light of research and tools that show that we can crack ALL passwords in a reasonable time. It’s time to move on to two factor authentication, alternatives such as OAuth2 (i.e. Facebook/Twitter/G+ integration) or Mozilla Account Manager, and random long passphrases for all accounts.
  • “Security” shared knowledge questions and answers. These are commonly used to “prove” that you have sufficient evidence of identity to resume access to an account. We see these actively exploited continuously now. Unfortunately, most familiies including ex-spouses have sufficient knowledge of the identity and access to the person’s identity documents that such questions, no matter how phrased (like “What was your favorite childhood memory”), are simply unsafe at any speed as more than ONE person knows or can guess the correct answer.
  • That requiring authentication is enough to eliminate risks in your application. Identity and access management is important, but it’s only part of the picture.
  • That enforcing SSL or access through a firewall is enough to eliminate risks in your application. Confidentiality and integrity of connection is vital, especially if you’re not doing it today, but it’s only part of the picture.
  • That obfuscation is enough to deter hackers. Client side code is so beguiling and the UX is often amazing, but it’s not safe. Business decisions must be enforced at a trusted location, and there’s little business reason to do this twice. So let’s get that balance right.

What are some of your pet “argumentum ad antiquitatem” fallacies?

One thought on “Argumentum ad antiquitatem”

  1. Requiring authentication is most certainly not enough. I’ve gained administrator on many Intranet portals just by using the administrator account (i.e. Administrator or admin) or the administrator’s email (usually identified somewhere, such as in Sharepoint or Jigsaw, or on the portal itself). It usually takes about 10-15 minutes on a LAN using Fireforce and rockyou-75.txt

    Authentication systems are also usually vulnerable in many of the ways you alluded to. I’ve used Burp and other proxies to compare different states that lead to different responses, which led to a compromise of the entire authentication, such as full username and password enumeration.

    What I’d like to see is more anti-automation, especially ones turned on during prod and ones available alongside no-anti-automation during test. I really appreciated the Roboo FOSS package, which does require the FOSS nginx web server.

    Good logging and monitoring as well as instrumentation potentials inside the app architecture (with a single architecture) is perhaps the most important.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>