Careless reuse of passwords by individual users is a vulnerability frequently used by hackers to exploit personal data gained during data breaches of online systems storing user and password information. One would think that this is common only among the unsophisticated computer user, but some very public incidents in the last several years demonstrate this is a problem even among tech-savvy individuals working in the Information Technology industry. Have we reached the stage where the concept of protecting sensitive information with passwords is no longer practical? With so many online accounts required today, the average person cannot remember all of them. We need better solutions to avoid the accumulation of numerous passwords. Security experts describe the best computer security as derived from a combination of who you are, what you know, and something you have. Known by security experts as the identity management triad, the combination of all three together is the strongest form of authentication, and the best security solutions incorporate at least two of the three.
In a Wired Article printed in August 2014, National Institute of Standards (NIST) chief Cyber Security Advisor Donna Dodson opined, “Putting the burden of security on the end-user and making it more complex just doesn’t work…The security has to be usable for the end-user. Otherwise, they’re going to find workarounds.” (McMillan, 2014) Perhaps it is time to recognize that the human inability to remember complex passwords is one of the most significant detractors to online cybersecurity.
First, there is the issue of the sheer number of online accounts computer users have, each with a password to remember. In a 2014 Department of Commerce Study (DOC) published by NIST, researchers documented that, “On average DOC employees had nine (range: 1-400) accounts at work that requires logins.” (Choong, Theofanos, & Liu, 2014) Security vendor Sophos estimated in October 2017 that the average person keeps track of 19 passwords (Munson, 2014). Nearly all employees not only have passwords to manage at work, but they also have those they use for their personal lives. It is reasonable to assume most persons have at least 25-30 passwords in use. Naturally, with so many passwords required, computer users are tempted to reuse passwords across multiple accounts. Password reuse increases your vulnerability to economic harm in the event of breached account. The loss of one account password may lead to the compromise of others, giving a cyber identity thief everything needed to access credit records and bank accounts. The requirement that passwords be complex containing numbers, capital letters, and special characters make it highly unlikely even the smartest user will remember the plethora of complex passwords required to navigate social media and online commerce websites.
It is tempting to assume people working in the tech industry would better understand what is at stake and would do better at avoiding password reuse. Based on many recent high-profile hacks this is not the case. In 2012, LinkedIn reported a breach of 6.5 million passwords from their website. In May of 2016, Fortune magazine revealed the actual loss of LinkedIn credentials was 167 million. After the breach, hackers began to offer them on auction through the Dark Web, the shadowy underground market for stolen data. One Russian hacker offered 117 million email and password combinations for as little as $2300 (Hackett, 2016). By using information from the LinkedIn breach, hackers accomplished some highly publicized breaches of accounts belonging to prominent technology figures and celebrities. For example, hackers took over Facebook founder and CEO Mark Zuckerberg’s Twitter and Pinterest accounts and posted messages to prove that they had his login and password information as reported by Fortune magazine tech writer, Ian Mount, in 2016. Mount reported that Zuckerberg’s LinkedIn password was “dadada.” It was hardly the type of password we would expect from a sophisticated technology leader. Zuckerberg reportedly used the very same password on Twitter and Pinterest, confirming past studies showing rich individuals were often lax in their password management strategies. According to Mount, other celebrities believed to have been hacked using information from the LinkedIn breach include Katy Perry, Lana Del Rey, Bill Gates, and Yankee baseball player Rob Refsnyder. Hackers also hijacked the NFL’s Twitter account, tweeting out to the world that NFL commissioner Roger Goodell of “Deflate-gate” fame was dead.
Reviewing the string of data breaches over the last few years might lead one to question the effectiveness of passwords for online security. Humans are unable to track them accurately which is why they write them down or reuse one password across multiple accounts. Better solutions are required when so much is at stake. Experts describe the best computer security as derived from a combination of who you are, what you know, and something you have. Known by security experts as the identity management triad, the combination of all three together is the strongest form of authentication. Usernames and passwords are easily misappropriated and reflect the weakest leg of the triad, what an individual knows. In a world where individuals have so many online accounts, and usernames, passwords are easily lost or stolen, leaving users vulnerable to online identity theft. When users use the same password across multiple accounts, it opens them to exploitation from hackers who acquire stolen credentials on the dark web. Businesses should change the methods used for authorizing and managing account access. Technologies such as smart cards, one-time tokens, and biometrics are vital as more of our wealth and personal information is accessible and controllable online. It only makes sense to improve the methods we use for identity management in our homes and businesses. If you are personally overwhelmed with password management, you could consider at the minimum, a secure password management utility.
It is now the time for individuals to pressure commercial and government entities who collect data to offer new and improved methods to protect our information from theft and exploitation. Businesses need to improve their identity management or should face substantial legal liability for data breaches. If your business continues to rely only on the weakest form of authentication, username, and password, it is perhaps time to engage a reputable third-party cybersecurity consulting firm for a thorough evaluation of your internal technology infrastructure and to consider alternative forms of identity management.
References
Choong, Y.-Y., Theofanos, M., & Liu, H.-K. (2014). United States Federal Employees Password Management Behaviors – a Department of Commerce Case Study. Page 4. Department of Commerce. Washington DC: NIST. Retrieved January 29, 2017, from National Institute of Standards: http://nvlpubs.nist.gov/nistpubs/ir/2014/NIST.IR.7991.pdf
Hackett, R. (2016, May 18). LinkedIn Lost 167 Million Account Credentials in Data Breach. Retrieved from Fortune.com: http://fortune.com/2016/05/18/linkedin-data-breach-email-password/
McMillan, R. (2014, August 11). Turns out Your Complex Passwords Aren’t that Much Safer (Paragraph 4). Retrieved from Wired: https://www.wired.com/2014/08/passwords_microsoft/
Mount, I. (2016) Mark Zuckerberg’s Twitter, LinkedIn, and Pinterest Accounts Were Hacked. Fortune Magazine. Retrieved from fortune.com/2016/06/06/mark-zuckerberg-accounts-hacked/
Munson, L. (2014). Average Person has 19 Passwords but 1 in 3 don’t make them strong enough. Retrieved from Naked Security by Sophos: https://nakedsecurity.sophos.com/2014/10/17/average-person-has-19-passwords-but-1-in-3-dont-make-them-strong-enough/
Comments on Why Complex Passwords Provide Weak Cyber Security in the Real World