Years ago I was discussing password security with a good friend at work and at one point we disagreed on some aspect of password security. He asserted that in one sense the password did not really matter as it is so easy to get someone’s password. He stated he could get one of my passwords if he really wanted it. I thought to myself “no way”. I don’t click on email attachments, I’m wary about what I download, and I consider myself careful about not doing stupid stuff.
Later in the day, after having forgotten about the challenge, I was in my friend’s office and he said he was having trouble logging in to our Oracle database. He tried a few times and his login was not working. He asked if I could try my logon, so I tried typing in my user name and password and it worked. He tried again and his worked, no harm no foul ;-) I sat back at my desk and an email was in my inbox with my password! :-)
I immediately realized he had gotten it when I typed it in on his machine. Ends up he used a Visual Studio program called Spy++ to monitor windows messages. So he captured the windows keystroke messages and easily logged my password keystrokes.
Ever since then I have been interested in computer security or really the lack thereof! If someone has physical access to a machine, then whatever anyone types on that machine can not be considered secure. Especially if you are dealing with a coder. There is no security when there is familiarity between the parties. You are left to trust and decency with those you know.
As a developer I believe you should think about how to hack computer systems in order to think about how to secure it. It is one of the mindsets you should have when coding. I’m not the type of person who would do any type of hacking, but if you are oblivious to what can be done you are more likely to make mistakes when designing computer software that open you up to standard hacking attacks.
Ever since my password was obtained so quickly and easily whenever I type my password I always think, “Someone just hacked my password” :-)
Next entry: Configure host headers with SSL using IIS 7 or IIS 7.5
Previous Entry: Microsoft Dynamics (Great Plains) SOP10102.DISTTYPE values
Latest entries:
Create absolute URLs using ASP.NET MVC
Comments
My Links
Tags
Follow me
About
Powered by FoxBlog
Disclaimer
The opinions expressed herein are my own personal opinions and do not represent my employer's view in any way.
© Copyright 2011, Nathan Fox
