Injection of insecure habits.

When we talk about IT security and ask ourselves why so many systems are insecure and constantly plagued by attacks, we tend to lose the perception of a fact: the website, or the system behind the APIs of your APPs, they are software. And as software they are written by programmers. Which programmers are, as often happens today, completely ignorant about anything a network or infrastructure in general. It's black magic to them.

This becomes more complicated when it comes to programming secure software. If you ask a modern programmer, he will tell you that the software is safe if he writes "clientIPAddress" instead of "clientIpAddress", because it all resides in the name of the variables, or any of the irrelevant bullshit they spend their time arguing. They literally have no idea what security is.

Let me give you an example: password managers.

I've been using a password manager for decades. It has evolved over time and I must say that I am really satisfied with the concept itself.

Why does a password manager make sense? The concept is simple: install the program on your computer, save all the passwords in a file that is illegible unless you know a master password, and then when you need to access a special plugin it allows you to write passwords to your browser.

This is convenient because:

• the password manager interfaces with all browsers, so once you have memorized the password you can use it with all. obviously, if you used the browser password manager, the passwords would be saved on one browser only. that maybe it is also from Google. Uh… but also no.
• save a file, and save everything. saving passwords from entire browser password managers is a huge effort, and it is not always possible.
• it allows you a superhuman number of different passwords, literally impossible to remember in length. that is, very safe.

now, if we wanted to increase the security of the systems, we would probably have to push the population to use some password manager. They also exist for Mobile.

But here come the programmers. They decide that no, the site becomes more secure if each page has its own URL, and if each page uses javascript to generate the login menu, so that the password managers no longer recognize the page.

If I ask them why they managed the login this way, they start with buzzwords, but in the end the real answer is "I found it on StackOverflow, and I have no idea what I'm doing, but it's idiomatic. ".

The trouble is that even if the site gains security against an attack, let's say a CVE that is known to be 100 hackers, in preventing the use of password managers is making hundreds of thousands, or millions, of clients insecure. .

The concept that must be clear but it is not, is that in the relationship between Client and Server, it is useless to increase the security of the server AT THE EXPENSE OF THE INSECURITY OF THE CLIENTS.

And this is true for a simple reason: for each server there are thousands, if not millions (or billions, in the case of Facebook) of clients. Even a minimal loss of client-side security produces enormous global insecurity.

If we want to steal two million passwords from a global service, all we have to do is brush all users who have a weak password as a password:

"Juventus". Seriously?

Now, the usual idiots will tell me that then a password policy is enough, and then Juventus will become Juventus. 36! .

And if you insist that such a policy is too weak, then the programmer will tell you that he doesn't save passwords in the clear anyway, and he even puts salt in them !. Which will stop the Insipidous, but I don't know about Anonymous. But our programmer is totally focused on the server, and who cares if he still allows someone to steal accounts because they have a simple password? (but salty, mind you).

Congratulations.

What am I trying to say? That the disproportion between the number of servers and the number of clients is so high that it makes no sense to focus on server security first: someone has to make sure that the client is not the problem.

Today it is necessary to inject good habits into service users. Like using a password manager.

Do you want a password policy that forces people to use a password manager? Good:

• the password must be at least 48 characters long.
• it must contain both uppercase and lowercase letters.
• it must contain at least 5 different and non-consecutive punctuation elements.
• it must contain at least 11 numbers not consecutive to other numbers.

at this point you would force people to use a password manager, and you would have really increased the security of the system. Not on the server side, but on the client side.

The problem is that hardly anyone among programmers works with clients in mind. All they do (when they do) is to inject good practices into the development of the system on the server side: but no precaution on the server side will prevent 223375 Italians from using passwords such as "Juventus" or "juventus.36"

And here is the problem. People will NEVER use a password manager if they are not pushed to do so, and if websites continue to accept similar things:

---

On the contrary, current websites do not encourage the use of password managers, on the contrary they discourage them, because between custom login pages and javascript as if it were raining, password managers find it increasingly difficult to identify the page.

So what?

I invite you to do one thing: NOT to use any site where the use of your password manager is not immediate.

It is definitely an insecure site, written by incompetent scoundrels, and sooner or later some hacker after guessing a simple password will escalate privilege and take all the passwords.

---