The biggest geeks in all of technology work in IT security. Sorry front-end mobile developers, cloud gurus, data center managers and do-it-yourself robot builders. Enterprise IT security is run by geeks who love to play cat and mouse with a good botnet, argue over the merits of Blue Coat versus AnchorFree and have a panic button programmed on their highly encrypted smartphones that goes straight to Symantec's headquarters. These are the geek's geeks.

In honor of yesterday's Safer Internet Day, we present a tribute to the IT security folks that keep most of us running during the day and from drowning in a sea of spam and malware. We know the "$#!& people say" meme is a little played out, but we feel that's mostly because there have been some really mediocre entries into the genre recently. The video below is sure to leave you giggling if you belong to the geeky group of IT security experts. Check it out.

A reminder to denizens of the Web: it is suggested you change your passwords at least twice a year. Or, you might end up like these guys:

The team over at Gazzang, a company that specializes in data and application security for the cloud, sent over this video on "$#!& IT Security Guys Say." Knowing a lot about security professionals, this entry is spot on. Watch it below and let us know what you think in the comments.

The Geeks Are Sexy post showed how users could find passwords that are saved to for websites that require a log-in in the "Manage Passwords Section" of the "Personal Stuff" tab under " Preferences" in Chrome. The passwords initially appear to be blocked out but can be revealed by clicking on the account and then clicking a "Show" button.

Lin said developers had debated some sort of added layer of password protection but ultimately decided that doing so may make users complacent when it comes to protecting their passwords.

"Now please, people, calm down. I only posted this to point out a 'possible' security problem to those who were not aware of it," Geeks Are Sexy reported at the time. "Now let's all take a deep breath and see this post for what it is: a simple warning."

Lin went one step better.

"If someone gets access to your device, it's going to be easy for them to gain access to your passwords....we tell our users if this concerns them they just have to select 'never save passwords' and they will never have to worry about it," said Lin who, for the record, doesn't let Chrome store her passwords and logins.

The good news? Says Mozilla: no one did. Well, no one except for the one security researcher who found them.

According to a post on the Mozilla security blog, a security researcher reported the issue via Mozilla's Web bounty program, a program that encourages external, non-employee security professionals to find and submit bugs to Mozilla. In return, Mozilla pays cash ($500 to $3,000 for valid bugs) for the submissions. Although Mozilla isn't saying, this is probably one of those $3,000 rewards.

This news comes on the heels of another high-profile password breach - the mid-December hacker attack on Gawker Media's servers, which ended up exposing the usernames and passwords of 1.3 million user accounts, created for commenting purposes on popular weblogs like Gawker, Gizmodo, LifeHacker, Kotaku, io9, Jezebel and others.

How Were the Passwords Protected?

Like Gawker's passwords, which were poorly encrypted using DES encryption, an older, less secure technology, Mozilla's passwords in this instance were protected with MD5 hashes, another older method of protection. These passwords can be cracked, explains Chester Wisniewski on the Sophos security blog. "MD5 has cryptographic weaknesses that permit creation of the same hash from multiple strings," he says. "This permits security experts to compute all the possible hashes and determine either your password or another string that will work even if it is not your password."

Mozilla hasn't used MD5 since April 9, 2009 - it now uses SHA-512, a significantly stronger encryption method. The database in question, however, housed older, inactive accounts using the MD5-hashed passwords.

What's Being Done

To address the issue, Mozilla says it erased all the MD5 passwords, effectively disabling the accounts.

Chris Lyon, Director of Infrastructure Security for Mozilla says "the issue posed minimal risk to users," because the only person, according to Mozilla's logs, who accessed the database was the security researcher who reported the problem. Lyon also reassured users that the incident did not impact any of Mozilla's infrastructure.

While the risk may be minimal, Wisniewski suggests that anyone contacted by Mozilla as having been one of the unfortunate users whose account information was exposed should make sure they are not using that same password at other websites, just in case. If so, change those passwords immediately. "If [Mozilla is] wrong or if the discloser is not trustworthy, your other accounts may be at risk," he says.

Gartner's survey of 4000 U.S. adults in September 2008, once again demonstrated people's tendencies to opt for convenience over security. It's a trend that has stayed fairly consistent over the years despite the fact that an increasing amount of activity occurs online these days thanks to the growth of cloud computing.

According to Gregg Kreizman, research director at Gartner, "most consumers want to continue managing their passwords the way they do now." But the way they do now is nothing to brag about. It generally consists of one or two passwords which the consumer uses on every website they encounter.

What should be done about this? According to Kreizman, online product and service vendors should redouble their marketing efforts to illustrate the advantages and practicality of routine and stronger authentication for consumers. Another analyst, Avivah Litan, also notes that "enterprises with consumer-facing websites that require stronger controls than weak password authentication alone should continue to augment passwords with complementary mechanisms, such as device identification, geolocation and transaction verification."

Elephant in the Room: Facebook Connect

While these findings are relatively unsurprising, the study highlights one of the top issues when it comes to security: the human factor. For most people, convenience is key, even if it means putting their security at risk. Consumers would rather rely on service providers to protect their safety than change their own age-old habits.

Yet the one thing the study didn't address is what impact Facebook Connect will have on the user authentication ecosystem. Unlike OpenID (new sign-in boxes notwithstanding), Facebook Connect makes sense to the user. People immediately understand what it means to sign in using their Facebook account. What's more, the process is easier and faster than creating a new username/password combination for the website in question. That should prove well for its adoption and acceptance among consumers.

In addition, Facebook Connect solves problems that go beyond the security issue alone. Sites implementing the technology can gain access to your friend lists, too - a boon for social networking-type sites and those wishing to become more social. There's also the great, untapped potential of how Facebook Connect could make the Internet a kinder, more transparent place. When people have to be identified - and are not anonymous - the chance they'll engage in "troll-like" behavior (leaving rude, disruptive comments) is reduced. It could also impact sites that rely heavily on user reviews. No longer could marketers, business owners, and content producers game the system by leaving glowing - yet fake - reviews which are then hoisted upon unsuspecting visitors.

For those reasons and more, Facebook Connect could very well become the next big authentication methodology on the web. Personal opinion aside, it's hard to ignore the potential of this social networking giant.

But while Facebook Connect may eventually solve the security issue of a commonly used username and password among consumers, it's important to realize that it will introduce security concerns of its own. If this technology becomes ubiquitous, we'll have to face the consequences of putting all the power of authentication into the hands of one private company, which many fear do not have our best interests at heart - especially when it comes to privacy.

And that makes us think that perhaps a common, often-repeated password may not be such a bad thing after all. 

About UsableLogin

UsableLogin is a new application from Usable Security Systems which allows you to choose one simple code word and use it to log into any web site. That codeword can be as simple as your dog's name ("fido") or your favorite color ("pink"). Why is this possible? Because the code word is just one layer of security - behind the scenes, the software creates another password for you for the actual web site. The password it creates is strong, complex, and highly secure, just as we know passwords should be.

How It Works

To use UsableLogin, you simply download the browser plugin. After you pick a background image and your easy-to-recall pass code, the login box will appear consistently across every web site you access, whether that's Facebook or your bank.

Web sites can also choose to support UsableLogin by putting a small bit of JavaScript code on their site.

Here's what UsableLogin sign-in boxes look like:

When you log in to a web site, UsableLogin cryptographically combines your simple code word with secret data pulled from separate sources: your computer and Usable Security's servers. This data is combined to create a secure verifier which is used as your complex password. Your code word is never stored and web sites never see it.

UsableLogin can be used on any web site that accepts passwords. It will also work on any operating system and browser.

UsableLogin on Gmail

The Usable Login Dashboard

From the UsableLogin homepage, you can manage all your accounts and view your history - when you last logged on and from which computer. You can also authorize and deauthorize computers from this dashboard, so for example, if your laptop was lost or stolen, you could make sure that no one who got a hold of it could log in to your accounts.

Security Made Easy

Ask any I.T. professional about "multi-factor authentication" and they'll tell you how much more secure it is against attacks. Think of it this way: on your front door you have a doorknob with a lock - that's the extent of protection you have today. Add a deadbolt to the mix, and even though your door's lock is so much easier to pick, the extra lock (the deadbolt) makes it much harder to get into your house. That's multi-factor authentication. (OK, it's actually much more complicated than that, but that's the easiest way I could think to explain it.)

If you want to learn more about UsableLogin, you can watch their entire presentation from DEMO08 here:

UsableLogin will become available in early 2009. You can sign up on their homepage to be notified when it's released.