Repetitive nature of problems

Working in the Information Security industry, I follow as much information as I can on the attacks and vulnerabilities that occur in our industry. Sometimes these attacks occur as a result of new or unique attack on a product or technology. However, this is usually not the case. We see the same vulnerabilities, and the same basic attacks utilized over and over again.

At some point, we as an industry have to get tired of solving the same problems. We often suggest the same solutions to these problems, even though they don’t fix anything. I’m not saying they don’t fix the specific problem, but they do nothing to address the entire category of problems.

For example, in 2008 Bruce Schneier wrote an article published in The Guardian entitled “Passwords are not broken, but how we choose them sure is.”

In that article, he explains that the most common password used to be “password”, but now that many websites are requiring at least one number in your password, the most common password was then “password1”. This was joined by other gems like “123456” and “qwerty”. In 2016, it was reported that the most common passwords were “123456”, “password”, and “12345678”. Of particular note was that “123456” was the top password for the fifth year in a row.

When I go to a website, I am amazed at the lack of standardization for password selection. It seems that each developer, operating as an amateur information security professional, has chosen what they believe might make the most successful password policy. Users, unable to remember passwords, end up picking poor passwords and not picking unique passwords for every website. This, of course, is fundamentally impossible without some form of a password database to work from.

This system is guaranteed to produce continued failures. I’m glad we don’t allow cars, airplanes, electronics, or buildings to be produced like this. Imagine if each engineer got to experiment with what they thought made the best fire suppression system, or the right thickness for a seatbelt. Until we change how our industry operates, it really isn’t that surprising that we will continue to have problems.