July 19, 2018 by nwilliams
The problem with passwords is a perennial one. Just a few days ago, SplashData released a list of the most popular passwords of 2017. What are they? Well, “123456,” “Password,” “12345678,” and “Qwerty” were the top 4, which is fairly indicative of the rest of the list. Among the others was “starwars,” which is in turn pretty reflective of where we stand on cyber-security. Need a password? Here, have a pop culture reference. It’ll be effortless for you (and the rest of the world) to guess. Apparently, ease—rather than safety—is the name of the game.
Of course, it’s possible to practice poor password security without ever suffering noticeable consequences. Many of us do. But this is primarily because we’re relatively unlikely targets. Sure, it’s possible for personal bank accounts to be hacked using weak credentials. It can and does happen, and for the individuals it happens to, such a security misstep can have terrible consequences. But there’s a far more likely scenario we should be concerned with.
In this scenario, an administrator in charge of his company’s cloud database fails—just as you and I have, countless times—to change a default password. Or, perhaps, he uses one he’s used elsewhere, or one that’s just a bit too easy to crack. And, just like you or I, he probably thinks to himself, Will this really matter? It’s so much easier this way. Unbeknownst to him, he’s about to cause a massive, headliner data breach. A hacker is going to use his weak password to break into the cloud, and access—even steal—user data. In fact, this hacker has been covertly breaking into the database for weeks without the administrator even knowing it. Sound familiar? This is exactly what happened on July 4 to Timehop, an app that connects to users’ social media accounts and compiles memories from previous years. This particular hack led to the compromise of 21 million users’ data, and is now being compared to an eerily similar data breach we’ve already analyzed: that of tax service Equifax last summer, which tallied up at about 146 million accounts breached. That breach was also caused by a password, and one which has since become notorious. And although the Equifax hack was a lot bigger, this one is, in a certain way, more telling.
When Equifax got hacked, I think it marked a shift in the way we view passwords: for perhaps the first time, the world saw what could happen if we fail to reset system credentials. And the results were apocalyptic. After Equifax, all plausible deniability we might have had before was gone—which means that, as soon as another company (cough, Timehop) makes the same rookie mistake, it can only be infinitely more embarrassing and less understandable. This again?
There are a couple of different things at play here. First of all, the undeniable cosmic forces named habit and existing protocol are extremely difficult to redirect. It seems, at least based on the past few hacks, that passwords are playing second fiddle to system firewalls and protocols for combating phishing emails. To some extent, this makes sense. We focus on the doomsday scenarios: hackers finding the one crucial flaw in a server and breaking in at just the right second; a scam email spreading a virus across an entire company in minutes. Those are the sorts of breaches we expect. But a hacker guessing at a weak password and using it to waltz right in? It’s the gaping hole hiding in plain sight—so obvious and so simple that we don’t even think to give it a second thought. And by now the oversight has become so ingrained that it’s taking longer than perhaps it ought to to change the tide. Even though we all know that real hackers are using this weakness to make their move, the breaches are still happening because no one is actually taking steps to change their behavior. A few individuals or companies might be—sure. But, clearly, organizations in general are not giving their employees proper training or instruction when it comes to what counts as a good password. They’re not communicating the importance of creating strong passwords to begin with, let alone changing them regularly. And you know why? Because it’s hard. Making and remembering strong passwords is significantly harder than using your birthday or leaving the system default in place. And making each and every employee do it? Even harder. So here we are.
Second of all, I think we’re starting to see the effects of security measures that simply aren’t keeping up with rapidly innovating technology. This happens across all avenues of cyber security, mostly because hackers, who frequently earn their livelihood and spend most of their time becoming intimately familiar with how our current technology works, learn very quickly how to surpass it. Even if we’re taking adequate security precautions, they’re almost always a step ahead of us. Given that, our best bet is to employ the latest possible technology. For passwords, that means Two-Factor Authentication (2FA). If you’ve ever had a website or an app ask you to confirm your login via a code texted to your phone or a link sent to your email, then you’ve seen 2FA in action. Unfortunately, this extra measure has not implemented by as many organizations as one might hope. Why? Well, probably for the same reasons we don’t prioritize creating secure 1FA passwords. Thankfully, especially as the number and frequency of these password-related hacks increase, more companies are starting—bit by bit—to employ 2FA. Banks have been doing it for ages (for good reason), and most of the major social media sites have it as an option (Facebook, Twitter, Instagram, LinkedIn, Snapchat). However, sites having it enabled as an option is a far cry from establishing it as the standard, let alone requiring it for back-end systems. And until that happens, we’ll be caught in the same old dichotomy between what we know is safest and least risky, and what we feel like implementing or requiring.
As soon as one of these hacks hits the news, everyone says the same thing: this could have been prevented. Could this one? Sure, probably. According to multiple reputable sources, the thing that could have prevented it might just have been 2FA. But I think there’s a more important point at stake here. Timehop’s response to the foible was to “beef up” their security: this is in incredibly reactive--rather than proactive--response. It admits to an incident and seeks to do whatever needs to be done in order to fix that incident...whether to save face or actually to protect something that had previously been unprotected. But the reason why we can watch these hacks happen over and over with very little change is that we don’t care about actually fixing the underlying problem. Security has to start from the bottom up: and that means addressing our attitude first. Do we understand the need for strong security, the real possibility that we could be the next victims, and prioritize it accordingly? If we don’t, then 2FA or firewalls won’t help us. We’ll always be a step behind.
Strong passwords start with education, encouragement, and enforcement. Contact us to find out how password security training can help keep your organization safe.Read More...