When your CISSP isn’t enough

I had a job interview Monday. I have at least one observation from it–the things on my resume that impress recruiters don’t necessarily impress a good hiring manager. Not on their own, at least.

Let’s do some post-mortem.

Here’s something that seemed to work:

Analyzed password policy in light of emerging threats and made recommendations, including changes to password policy and use of smartcards and PKI

It worked, but I still had to speak to it. I probably had to speak to it for a good 10-15 minutes. I talked about algorithmic password guessing, and I cited the example of m0c.nideknil as a password that looks really good to password rule checkers, but is trivially easy to guess by a good algorithm. My interviewer understood the idea of algorithmic password guessing, but based on his reaction, it sounded like it wasn’t something he’d thought about, at least not recently. That’s good.

He followed up with some other questions. Some were easy and some were hard. One question he asked was whether an account lockout was sufficient: Don’t their passwords lock after three failed logins? And isn’t that enough?

I said not necessarily. It helps, but when lists of the 10 most popular passwords in specific environments exist, some percentage of accounts will fall when you just try the top three from the list.

Worse yet, do you know for certain that someone hasn’t grabbed your password database and isn’t brute-forcing it offline? You have to assume that if it hasn’t happened, it eventually will. And when you have the encrypted password database, you can guess as many times as you want, constrained only by the speed of your computer and the amount of time you’re willing to wait for a match. Password guessing has gotten much smarter over the last couple of years, but password requirements and strength checks have changed very little, if at all.

So that’s why I recommended smartcards as a solution to the problem.

Then he asked if smartcards could be exploited. I said theoretically, yes they can. Do I know of a specific instance? No. Do I believe that it’s happened? Yes. Yes, I believe it has. I won’t say where I think it’s happened, or who I think did it, or even when. So while I don’t believe smartcards are 100% secure, they are much better than passwords, and the rule of security isn’t that you make it impossible to get your data, only to make it too expensive. Smartcards are one way to make it a lot more expensive to get your data.

The CISSP gets you in the door to the interview, but the job goes to the guy who can spend 2-3 hours answering questions like that and hesitates the least while doing it.

If you found this post informative or helpful, please share it!