I am starting my series titled “IT IQ” to cover some of the most common questions I am asked, or situations I encounter. Here is the debut post, starting with the most humble and yet most perplexing of topics:
There are a million tales in the IT Security consulting world, ones that keep professionals in this field gainfully employed by day and tossing and turning at night. I have dealt with many that can keep me occupied for weeks peeling away layers of complexity. But surprisingly, even after all these years, one of the IT security questions that I am asked most often is about passwords and password security. In fact, I have even had executives at big companies express concerns over this topic, usually after an attack has occurred or information has been compromised.
The issue, succinctly phrased is: Why is it that, despite widespread and highly publicized caveats, so many people continue to use easy-to-guess passwords? Why is it that they don’t heed well-disseminated warnings about creating a password that cannot be easily determined? And the highly anticipated sequel to this topic, of course, is: How to prevent history from repeating itself.
There is a very simple explanation for why this problem occurs in the first place. Even geniuses that can memorize the minutest details about everything under the sun sometimes find themselves struggling to recall their password. Multiply that by multiples, since each of us has many. So the most logical strategy that seduces the average human is to choose a word that is easy to remember because it is significant in some way. In my experience, that usually means one of the following: name of children; name of pet; name of birth city, or home address. The problem is all of these are fairly easy to find, especially given our ubiquitous presence on myriad forms of social media.
Then there are the real security defeating selections. Yes, believe it or not people still use PASSWORD for their password. They really do. Why? It’s easy and most people I have talked to who do this say they were planning to go in and change it shortly after they opened an account, but then they never got around to it. Likewise with the old, unreliable 1234567 or its many permutations. Here, for your perusal and entertainment, are the 25 most common passwords as reported in The Telegraph (http://www.telegraph.co.uk/technology/2017/01/16/worlds-common-passwords-revealed-using/):
(For anyone mystified by qwertyuiop, check out your keyboard. Likewise qazwsx)
So despite the agitation caused by this seemingly simple to change behavior, it continues unabated. Most people will say that regardless of what they read and know about attacks and hacks, they never think it will happen to them.
My advice is therefore that the IT Security team in every company has to accept as a given that some employees will always choose to use one of the easiest, most findable passwords ever and in doing so, may put competitive information at risk. The question of how to deal with this challenge is the subject of the next blog post. Spoiler alert: There is hope…