Wednesday, November 04, 2015

You shouldn’t buy passwords from an 11 year old

Here at IT Security Thing we are on a mission to inform, educate and engage. That’s why we exist, that’s why we supported the Security Serious week and made a free A-Z of data protection tips available for download, and that’s why we cannot get fully behind 11 year old Mira Modi who is selling secure passwords from her bedroom in New York City. Now you might think that Mira is the very epitome of secure thinking, what with her using the diceware technique to literally roll out cryptographically secure passwords based upon random words. She certainly fulfils two out of the three principles by which IT Security Thing operates; namely to inform and engage. The sheer amount of media attention that has been generated by her story, whereby she charges $2 to generate and post out a ‘secure’ password to customers via her Diceware Passwords website, has guaranteed that people who might otherwise not realise the importance of a longer and more secure password have at least been exposed to the concept. There is also no doubting that Mira has ticked the ‘engage’ box, what with the majority of the published reports also covering the diceware technique and so explaining how a more secure password can be constructed without being a crypto-nerd. The trouble is, neither of these meet our definition of ‘educate’ in this particular instance, simply because the system being used does not make good security sense. We admit, hands up, that having to pull Mira up on this doesn’t make us feel good but, on the other hand, we do feel duty bound to skip past the media hype and cut to the point of the story which is making things secure. Not just more secure than they were before, but truly secure; which is a different thing to the ‘super secure’ nature of the passwords she has spoken about. This is, sadly, where Mira has failed to deliver.