On Friday the 20th of September, the renowned Data Breach Expert Troy Hunt was once again doing a talk at Microsoft’s Danish offices in Lyngby, just outside Copenhagen. The talk was done as a collaboration between the NDC conference and Microsoft.
A large number of the people who were there that day had previously seen Hunt at other conferences or similar talks. When asked why they wanted to hear his talk once again, a participant said: “He is like a comedian for programmers”. He went on, saying “He talks about important and heavy stuff, but in a fun and uplifting way”.
Rise of the Breaches
The talk was called "Rise of the Breaches". An appropriate talk to do at a time when it has become the norm for apps and webpages to collect data on their users and consumers. In a statement released before the event, Hunt writes:
“A combination of more systems, more people, more devices and more ways than ever of producing and publishing data stack the odds in favour of attackers breaching more systems than ever.”
Security and Passwords
When dealing with security and preventing data breaches, the process starts with understanding people and how people think, Hunt explained.
“It’s the humans who are trying to get around the technology, to get around creating the password” Hunt said and the auditorium laughed.
Talking about the predictability of how humans create their passwords, which is what gives hackers the advantage when guessing the passwords, “humans will always choose the path of least resistance” Hunt said.
Hunt encouraged the audience of programmers to think differently than the examples he pulled forth from large corporations. He showcased numerous examples of what typically went wrong and emphasised the importance of not setting the usual criteria for a user creating a password.
Character requirements “are flat out stupid”. When programming criteria, it is better if you program password fields that do not have criteria such as minimum one capitalised letter, symbols and numbers.
By making the process too complex, it creates an unintended effect where users re-use their passwords again and over a number of platforms.
“When you force people to change their passwords and they end up taking shortcuts” Hunt explained.
To counter this behaviour by the users, Hunt encouraged the developers to drop those restrictions. This would allow users to start using “passphrases”. These are sets of random words put together in a sentence and then used as a password.
Troy Hunt is an Australian Microsoft Regional Director and Microsoft MVP for Developer Security since 2011. Troy is a Pluralsight author of many top-rated courses on web security, and known for his work on: Have I been pwned? A free service that aggregates data breaches and helps people establish if they have been impacted by malicious activities on the web.
We believe that information should be free and will therefore never put up a paywall.
If you like reading our reports about the Scandinavian business scene and would like to donate towards the upkeep of the site, we would be very grateful. Click here to donate.