When I was interviewed a week and a half ago by a reporter from the New York Times about the Rockyou hack, I honestly never expected for it to end up on the front page of the newspaper, but there you go. As a friend mentioned though, it doesn't really count since it's below the fold ;)
While I'm ecstatic about being quoted, there are a few things I wish could have been changed. Just saying that makes me feel like the guy who won the million dollar lottery, but is annoyed that he didn't get the 10 million jackpot. That being said, I have a blog, and this is the internet so I might as well complain away ;) First of all, I feel the need to explain my quote. Here is an excerpt from my conversation with the reporter:
Matt's Brain: "Don't say anything stupid. Don't say anything stupid. Don't say anything stupid..."
Reporter: "I take it this is the largest password list ever stolen right?"
Me: "Well, it's the largest one ever publicly disclosed. There's been a lot of larger or similar sized databreaches in the past."
Reporter: "But this is like the mother load for you guys?"
Me: "Yes this was the mother load.'
Matt's Brain: "Doh!!! I hope he doesn't use that..."
I'm sure the reason I wasn't quoted further is because A) I'm just a college student, B) I tend to be a bit overly verbose as you may have noticed... and C) What I was saying didn't fit into the narrative he was trying to tell.
I completely agree with the reporter on part A, and B. If you have a choice of quoting the CTO of a security company or a college student, you go with the CTO. My suspicions about Part C requires further explanation.
Throughout the entire interview the reporter tried multiple times to get me to criticize users for picking weak passwords. I refused to do that because quite honestly I don't blame the users. This may be a little controversial, but for a majority of users and a majority of accounts, password strength does not matter. Let's be honest: while everyone loves to talk about online attacks, (where the attacker is trying to guess the user's password to gain access to their account), online attacks generally are too expensive, (from a time/resources perspective), to perform on all but the most valuable accounts. Online attacks are something you have to worry about if you are well known, it is a corporate account, or you hosting a publicly available server, (for the last example, one of my old co-workers got 0wned by it), but the average user doesn't have to worry about that. Phishing attacks and malware/keystroke loggers are much more prevalent threats, and the reason they are is because they can be highly automated by the attacker, (aka cheap), and they don't depend on the user picking a weak password. Aka, I could have a 50 character passphrase, but if my computer is infected by the zeusbot and is recording all my keystrokes, it doesn't matter.
Likewise, this Rockyou list shows another reason why we shouldn't blame the users. The list was all in plaintext. I don't have to crack anything. This gets to the heart of my argument. I'm not saying everyone should start using '123456' as their password. What I am saying is that the security of the system is much more dependent on the user recognizing other threats, (such as that fake security e-mail asking them to re-verify all their info), and for sites to practice better security, (hashing the lists with a salt, having a password blacklist, limiting online guesses, etc). We tend as a security community to get caught up on the fact that users pick bad passwords. What we need to do as a community is to move on and say what are we going to do about that.
At the end of the interview the reporter asked if I had anything else to say, which I responded, "If there is anything people should know, it is the importance to have at least two passwords. You can't expect people to remember a different password for every site, but this Rockyou hack demonstrates, you should use a different password for your bank/webmail vs. the password you use on facebook and other social networking sites." I'm happy the reporter phrased this much better and included it in the article. That's also the reason why only the passwords, (and not the e-mail addresses), were publicly disclosed. The passwords by themselves are not that valuable to an attacker. The passwords + e-mail address are since they allow an attacker to quickly compromise many more accounts. I'm not just making this up. In the original forum postings the attacker essentially said, "These passwords are free, but if you want the e-mail address you'll have to pay me a lot of money."
Considering my writeup is longer than the entire NYT's article, once again I'm not surprised I wasn't quoted more ;) If you disagree with me please let me let me know since as my last post pointed out, I certainly can be wrong.
One last thing. I've been getting a whole lot of e-mails from people asking me to send them a copy of the Rockyou list. Please don't take this personally, but I can't determine from an e-mail if you are a legitimate white-hat security researcher or a script-kiddie, (ok some are fairly easy to pick out as script-kiddies, but identifying the good guys is much harder to do). The answer is almost certainly going to be no.