Past The Password Book

In the recent time off from pen-testing and sneaking into places, I got the chance to watch a short behind the scenes glimpse at the engineering that formed the James Web Telescope. The 30 min video shows just how far humanity has come; this one device is the culmination of decades of development and ingenuity. Thousands of people are working on a dedicated goal to get a telescope to the Lagrange point – wherever that even is!

What if our industry could agree on a simple direction and work together to get somewhere like this. The world would be better off. Work would feel more like building a high tower, brick by brick, advancing on the previous hard work and lessons learnt from our forefathers. Standing on the shoulders of giants, we could work with different nations. Our greatest minds could contribute to a single goal. Collectively we could do something as impressive as the new telescope. Maybe we could solve safe communication, create identity devices that were infallible or create a unified bank of knowledge.

The above was a thought I pondered after a short video. As I picked up my phone, flicking to Twitter to pass a few minutes, the reality hit me.

“Password managers are a thing. We don’t have to use a book.”

“They have a place.”

Oh no, not again. What year is this?! Who are these people? Please make it stop. The idea of this post came from that very moment of doom, in internally debating why we feel the need to churn the same dull thoughts through our heads continually. The squabbling on Twitter could be a form of the scientific process. Like in the scientific community, where scientists are debated and challenged in the name of science. But it isn’t.

The password manager book is one of the arguments that comes around every few years. Along with the responsible disclosure debate, should hack tools be open source and another handful of boring discussions that I am truly sick of hearing about. They do little to advance us. If the goal of our industry is to keep data safe and data is secured with passwords, and we haven’t even agreed on where we should store these passwords – we are cavemen. Compared to the engineering teams at NASA who would have worked on testing several observations and having consensus on the best course of action, we simply aren’t doing enough to look at the more significant issues that confine our debate to such trivial things.

We need to look past the password books. We need to strive to be more NASA and less InfoSec.