We’ve just launched our new site! Check out the video to learn more.

Passwords in the New Security Age

In my time representing a custom app development business, I have had the chance to visit hundreds of work sites, spanning many different industries. Security…

In my time representing a custom app development business, I have had the chance to visit hundreds of work sites, spanning many different industries. Security is always a concern for CEOs and IT professionals. A company’s data is a core asset which includes customer information, revenue numbers, and private business practices, just to name a few. Any of these things falling into the wrong hands could have devastating consequences.

Executives are often surprised when I tell them that one of the biggest risks actually comes from their own employees – not necessarily through some sort of malfeasance or purposeful sabotage, but through a false sense of complacency. If something has never happened before, it’s not likely to happen later – or so they believe. Until someone has been faced with a ransomware virus spreading through the organization like a wildfire, or customers calling because the company website is redirecting to a porn site, the threat just seems too abstract to care about.

But hey, at least everyone has a password, right?

Right?

Of course they do. Any piece of software worth its splash screen requires some sort of credentials. And therein lies the problem: people can’t – or won’t – store a bunch of passwords in their heads. Add the onerous requirements that many web sites place on the seemingly simple task of making up a password, and you have a recipe for failure. Learn the password someone uses for one web site, and chances are good that it will work in many other contexts as well – work and personal – because it’s easier to memorize a single password than many different ones.

I have other stories. Sticky notes with passwords jotted on them, and stuck to a computer display in plain sight. An entire page of passwords stored in an unlocked desk drawer.

Then there’s this too-familiar exchange:
Person 1 (yelling across the office): “Hey, Curtis, what’s your password?”
(Presumably Curtis): “America666. Why?”

Seriously, I’ve experienced every one of these more than once.

The problem lies in the system, not the people who use it. Passwords are terribly inefficient, and prone to all kinds of failure. If it’s too complicated, you might lose it/forget it/accidentally feed it to the dog. If it’s too simple, it can be guessed by sophisticated brute-force bots whose only purpose is to try thousands of possible password combinations. Some facts:

Top ten most commonly used passwords:

  • 123456
  • Password
  • 12345678
  • qwerty
  • 12345
  • 123456789
  • letmein
  • 1234567
  • football
  • iloveyou
  • admin
    (Okay, that’s eleven, but I had to get that last one in there. I mean, what hacker would ever figure out “admin”?)

Some common types of passwords:

  • Name of spouse/child/pet, with or without substituted characters (e.g. M@d1s0n to represent Madison).
  • Birthdate of self or spouse/child
  • Movie or song title
  • Super hero
  • Sports team
  • Keyboard pattern (qwerty is one of these. So is qaz2wsx. If you are confused, look at your keyboard and despair in the knowledge that it is the 30th most common password.)

What is to be done? Let’s take a look at some low-hanging password fruit:

  1. Don’t repeat yourself. Sure, that password is very clever, or easy to remember, or both, but if you use it in more than one place, you are risking a large-scale breach.
  2. Don’t user keyboard patterns or guessable numeric strings. Keyboard patterns like mnbvcxz may seem random, but again, type this out on your keyboard and you will see it’s only slightly less obvious than qwerty.
  3. Don’t rely on leet-speak to obscure your password. This is the practice of choosing numbers and symbols to replace similar-looking letters, as in J@ck@l0p3. This is just the word, “jackalope” with some leet-speak trickery, and this practice is already built into hacking algorithms. It won’t save you.
  4. Don’t share your password with anyone, ever! If someone needs to log in using your password at work, you can just get up and go over there and type it for them. Bonus points if you stare them down until they look away before you type.
  5. If you have to use memorizable passwords (see below for a better way), try using pass-phrases instead, such as giraffe.apple.toyota.window – a randomized string of words that allows you to keep a mental image representing the words. In this example, I see a giraffe chewing on an apple, with its head sticking out of a Prius window. This is a lot of characters and word combinations for a hacking program to figure out. To make it even more secure, think up a number sequence to go between the words that only you know. The down-side to this kind of password that many web sites now try to micro-manage your choices by requiring a certain number of capitals, numbers, and symbols for each entry. This may not fit the schema outlined above.
  6. Use a password manager. This is the best possible way to protect yourself and your company, because it essentially remembers passwords for you. These are especially great for managing web site passwords, because they come with add-ons for most of the popular web browsers. My favorite is 1Password, so named because you literally only have to remember one password – the one that lets you into the program. Which means that you should create an incredibly elaborate password for this purpose, then memorize the heck out of that thing. You only have to do it once! Other password managers include Dashlane, Keeper, and a host of others. And, these password managers can create truly difficult to guess, randomized passwords for you — which is great, because you never have to remember them anyway.

A few more statistics to ponder before I close:

  • 48% of data breach incidents are caused by negligent employees or contractors.
  • 60% of small companies go out of business within six months of a cyber attack.

If your company does not have a password policy, now would be a good time to start. Educate your employees on good password practices, and settle on a password manager for everyone to use. Even if your team only accesses a few password-secured web sites and databases, good practices could save your company a lot of time and money!

Sources:

Unmasked: What 10 million passwords reveal about the people who choose them

CYBER SECURITY STATISTICS – Numbers Small Businesses Need to Know

And last but not least, check this comic from XKCD

Latest

From the blog

The latest industry news, interviews, technologies, and resources.