Over a million developers have joined DZone.

InfoSec Insanity: Sharing the Crazy for the Betterment of Online Security

· Cloud Zone

Build fast, scale big with MongoDB Atlas, a hosted service for the leading NoSQL database on AWS. Try it now! Brought to you in partnership with MongoDB.

I was getting a little fed up with the craziness I kept seeing on the web when it comes to security, so I created this:


That’s right, a great big freakin’ padlock with a straightjacket or more to the point, I created the Twitter account @InfoSecInsanity.

So what exactly is InfoSec Insanity? We’ll let’s take this example from the weekend on restricting passwords which was the catalyst for creating the account:

@tombuildsstuff Our systems are limited on length & ranges to ensure a smooth experience. We have multiple controls in place to protect data

Oh, so when O2 decided to stop you from putting in a nice strong, random password it was for your own good! Well I’m glad we cleared that up.

Here’s another favourite, this time from British Gas earlier this year. Concerned about the lack of ability to paste in creds from a password manager, a concerned Twitterer mentioned this and got an, uh, “awesome” response:

@passy We'd lose our security certificate if we allowed pasting. It could leave us open to a "brute force" attack. Thanks ^Steve

Now I don’t know what Steveo was smoking here, but I’m guessing it wasn’t legal.

Nutty tweets are one thing and by all means, they’re exactly the sort of thing I’m going to be sharing from this account but let’s not stop there. One of my recent favourites was this post I wrote about Stack Overflow answers to the question of password encryption. The first earnest respondent to the (now deleted) question shared many lines of code that carefully demonstrated how to use Base64 – no, not to encode the resultant cipher, but as the only means of credential obfuscation. Two others chime with basic character rotation schemes – take “a” and replace it with “f” then take “b” and replace it with “g” and so on and so forth.

So here’s the “call to arms” as it were:

Tweet links to crazy security approaches or nut job responses by social media accounts and I’ll get @InfoSecInsanity to give them a shout-out. Mention @troyhunt or @InfoSecInsanity with a link to the page or tweet and it’ll earn a spot on the timeline.

Let’s avoid the “These guys just emailed my password” or “Those guys won’t let me use quotes in my password” kind of stuff because as dumb as it is, we’d be here all day and flood the timeline with them. I’m really interested and the stuff that genuinely makes us go “WTF, are you serious?!?!”. It’ll keep it more interesting for followers.

Last thing is a quick “hat tip” to Plain Text Offenders and the recently launched HTTP Shaming. Both these sites do a great job of calling out infosec insanity in their respective areas (sites emailing credentials and those not implementing a secure transport layer where required). The “naming and shaming” they encourage goes some way to holding sites exercising dodgy practices to account and they’ve provided inspiration for InfoSec Insanity.

Now it's easier than ever to get started with MongoDB, the database that allows startups and enterprises alike to rapidly build planet-scale apps. Introducing MongoDB Atlas, the official hosted service for the database on AWS. Try it now! Brought to you in partnership with MongoDB.


Published at DZone with permission of Troy Hunt, DZone MVB. See the original article here.

Opinions expressed by DZone contributors are their own.

The best of DZone straight to your inbox.

Please provide a valid email address.

Thanks for subscribing!

Awesome! Check your inbox to verify your email so you can start receiving the latest in tech news and resources.

{{ parent.title || parent.header.title}}

{{ parent.tldr }}

{{ parent.urlSource.name }}