Passwords? On Post-its?
How retro! How circa Prince Williams!
You’d think we’d all know better, particularly after such memorable incidents as when passwords were left on sticky notes glued in the background during a TV interview – an interview concerning a cyber-attack, of course – broadcast live on the French TV channel TV5 Monde this year.
Alas, we do not know better.
There are far too many of us sharing passwords at work – be it on the infamous Post-it note glued all over the place, on scraps of paper strewn around desks, in unsecured spreadsheets, by email or by text.
It would be comforting to blame this all on those cursedly smooth-faced Millennials, but alas, we the wrinkled are only slightly less bad at keeping our passwords to ourselves.
According to a new report from password manager and digital wallet company Dashlane, a survey of 3000 people, evenly distributed between the US, the UK and France, found that 53% of US respondents have shared a password with a colleague.
The younger the employee, the more likely they are to think that the sharing economy includes passwords: 67% of respondents aged 16-24 said they’ve shared passwords; it drops to a still-dismal 59% in the age bracket of 25-34, 52% with 35-44-year-olds, and a still quite lame-o 46% of those 45-54.
When we’re not blabbing them all over cubicle land, here’s how we store our passwords:
- 62% of us keep them tucked away in our memory wetware
- 30% of us write them down
- 20% of us use a password manager
- 13% use a shared spreadsheet
- 8% reuse passwords – as in, they use one password for all systems
- 7% use email, texting or instant message
Guillaume Desnoës, head of European markets at Dashlane, feels OK about blaming callow youth for this situation.
The Register quotes him:
Our report reveals a lackadaisical approach to the management of company confidential data, which is being driven by the influx of 'millennials' entering the workplace.
Having grown up with the sharing culture of social media, this age group has become slightly casual when it comes to their security and this has the potential to have an impact in the business world.
If we choose not to beat up a particular age group, who can we pin the blame on for this soggy state of information security?
Management. Yea, that sounds good. Let’s give it a spin.
A large percentage of respondents – 44% – reported that they can still access accounts or subscription-based services at their previous employers, putting those companies at risk of unauthorised use of systems or social media hijackings.
This all boils down to weak password security policies. Or, well, no security policies at all – at least, not that employees are aware of.
Nearly 70% of respondents said that either their employer doesn’t have a password policy or they don’t know if their employer does or not.
Another new study, this one conducted at the Black Hat 2015 conference by Lieberman Software Corp., underscored the notion that management is dropping the ball on security.
The survey, of 150 IT security pros, found that 92% of them believe that cybersecurity drills are a good way to prepare staff for cyber attacks.
In spite of that, 63% admitted that their employers never run such drills, or, at best, only run them annually.
Only 11% of organisations carry out cybersecurity drills quarterly, while 26% conduct them every six months.
The study suggests that the infosec pros are warning executive management about the risks, but getting them to take action is another matter entirely.
10% of respondents said the budget wasn’t there to fix things; 12% said they couldn’t convince management to understand the severity of cyber threats; and a whopping 45% said “all of the above.”
The blame game
Between these two studies – both of which come from security vendors that obviously have reasons for putting a slant on the situation – we can see some people are blaming Millennials, while some people are blaming management.
But at the end of the day, we’re still stuck with 1) the fact that none of us apparently have cause to brag, and 2) the question of what can be done about a pervasive indifference to security.
Is more security education the answer? Or does security education even work?
At least one security big-wig recently advocated turning away from the wrist-slaps of mandatory security testing or public call-outs in favor of stripping people of their credentials if they can’t manage to get security right.
DefenseOne reported that Department of Homeland Security (DHS) CISO Paul Beckman said during a panel discussion at a cybersecurity event in Washington a few weeks ago that he sees users – even senior managers – click on email he rigs as phishing bait to see who’ll click on potentially unsafe links.
They don’t just screw up once, mind you.
Such people not only click on links; they also repeatedly input usernames and passwords even when a blatantly non-DHS sender requests them, he said – bad security hygiene that gets them nothing but a slap on the wrist:
There are no repercussions to bad behavior. There’s no punitive damage, so to speak. There's really nothing to incentivize these people to be aware, to be diligent.
Employees who fail to pass his rigged-email test are forced to undergo mandatory online security training.
What he’d like to see instead – “broader evaluations of their fitness to handle sensitive information”, the outcome of which could and should be revocation of their security clearance:
Someone who fails every single phishing campaign in the world should not be holding a [top-secret security clearance] with the federal government. You have clearly demonstrated that you are not responsible enough to responsibly handle that information.
What’s your organization doing to keep workers from sharing passwords or clicking on phishy email?
We don’t want your passwords, but if you care to share anecdotes, you know what to do: our comments section is due South.
Image of passsword on sticky note courtesy of Shutterstock.com
Tom
I think the common belief is that Millennials are really tech savvy, but it may be that Millennials have the same percentage of people who understand how the Internet works as the general population. It always shocks me to see what people do online, but I can hardly believe some of the things are now forced to do online, that should not be done online. After following computer/Internet security for 20 years, I personally don’t think the Internet is particularly secure medium.
Bill Sailer
I have too many passwords, some forced on me by banking institutions, some that must be longer, have symbols, some caps, or some other restriction that makes my passwords a PITA, Let my mouse pad take my fingerprint or something similar. No, half my business contacts would not accept that, or SKYPE, so they will always annoy the hell out of us.
Mahhn
Some passwords I document in plain sight. In High school we had lockers with combination locks on them. I wrote my combination on the locker, however it was backwards and I had to one then two then three digits to each number in order also. I have also written small notes on my desk that included my password – less my formula. Formal example: capitalize the third letter, use a specific number (two to 4 digits)at the beginning or end, special character in a specific spot.
So if I had “no soup for you” written on my desk some place my password might be N05oupfouru!
I have coached users that have a hard time with passwords to make a formula and just write the clue any place. You guys suggestion is great also.
Sharing passwords at work will get you into extra training, ( put on the Special High Intensity Training list) and potentially an HR issue up to a RGE (Resume Generating Event)
Mahhn
Question to the down votes; is it that I suggest the writing of a sentence as a reminder? or?
I’m always up for constructive feedback and discussion for a better way.
A former coworker asked me to ask him for his password one time (after he changed it) his answer: “What do you need it for?”
Chris M
First of all: kerckhoffs principle. Always assume the attacker knows how the password is derived. In the scenario you describe, you are not protecting the password, you are protecting the algorithm. This is called security by obscurity, and is not a good thing.
Secondly, as Paul points out to a different comment below, your phrase is made up of common dictionary words, and then some rules are applied. This is easily broken by a brute force attack.
Just use a password manager. Secure, and far easier.
Mahhn
Thank you for taking the time to reply.
I used a simple and poor example, my intention was to share a formula process for end users that forget their password all the time – the number one reason people call Help Desk.
If the person has lots of passwords a manager is great, for normal end users that have one maybe two, they still can’t log in when they forget that one. Here is another fun one I have seen: CEp0&r2d2Inde+h*
Bryan
RGE (Resume Generating Event)
har, I’m gonna use that.
Blake
I read this a while ago so I forget what computer magazine had this.
It stated pick a pass phrase we shall use ApplePie.
convert some to numbers and symbols.
@ppleP1e
So now we want our passwords to be different for each site.
so develop a code like you pick the 3rd and 4th letter of the site to the end of it. Now you have a unique password for every site.
@ppleP1ece = Facebook Password
@ppleP1eit = Twitter
@ppleP1enk = If your online banking bank was named bank
All you need to remember is @ppleP1e and 3rd and 4th letter and you end up with unique passwords for every site you go to.
Paul Ducklin
You should probably watch our “How to Pick a Proper Password” video. This system is a bad idea for reasons:
* ApplePie is a dictionary word. So it’s not a very safe starting point for the keys to your whole castle.
* Num3r1c subst1tui@ns only help a little bit, because password-guessing programs know all the “eleet” tricks of this sort, and try them too.
* If someone finds out any two of your passwords, the scheme is obvious and then they can crack all your other passwords by trying just 26×26 combinations each.
I’d suggest reading a different magazine for security hints, and looking into a password manager :-) The video covers that:
https://nakedsecurity.sophos.com/how-to-pick-a-proper-password
Gerry
This is better than reusing passwords but still vulnerable – instead of using one password you use one (base) password plus one algorithm (i.e. pick the 3rd and 4th letter of the site and append to the base password).
So if @ppleP1eit is compromised on Twitter, it is not a huge strain to guess that @ppleP1e?? gets you into something else – and Facebook might be an ideal account to try and crack. I might be able to guess it rather than go through 26×26 permutations. Once I am into Facebook, I probably have your (base) password and the algorithm so I then have the keys to your kingdom.
Your algorithm needs to be very obscure if it is not to be easily cracked if one of your passwords is compromised. And the password needs to be difficult to “reverse” (the origin of @ppleP1eit is rather obviously ApplePieit)
i@P&C1rst does not so easily divide into a base password plus an algorithmicly driven prefix and suffix (@P&C1rs does not easily identify as a base password based on “Apple Pie And custard is really scrummy”)
Paul Ducklin
Seriously, use a password manager instead. If you have 100 passwords with the same base, then it doesn’t matter how complex or obscure it seems on its own, it’s still pretty obviously a common component if a crook gets to see two or three of the 100 :-)
xTHISISASUPER-LONGPASSWORD!!!YOUWILLNEVER?GUESSEVENIN100000YEARSy
aTHISISASUPER-LONGPASSWORD!!!YOUWILLNEVER?GUESSEVENIN100000YEARSb
mTHISISASUPER-LONGPASSWORD!!!YOUWILLNEVER?GUESSEVENIN100000YEARSn
Gerry
Agreed. I do use a password manager myself – but there are some passwords that you can’t put in your password manager.
1) The master password for your password manager
2) Your log-in or BIOS passwords
3) Some banks are a bit iffy about “writing down your password” (writing it in a password manager is “writing it down”) – they would rather I used the name of my first pet dog!
So – as your video indicates – any remembered password has to have layers of obfuscation – particularly if you have a “system” to remember multiple passwords. (“systems” are far more easily cracked than you think)
Something like (from the video) – YwN4!!Gpw4tPMi – is obscure and probably memorable if you only have one password to remember, but what about other logins?
Arguably you have a strong base password – and if you want to build variations on it for easy of remembering you have to heavily obfuscate – and use processes that are non reversible. Any form or reuse/variation is a weakness, but you trade that for ease or remembering.
So using the above “strong base”:
YFwaNc4e!b!oGopkw4tPMi and
YTwwNi4t!t!eGrpw4tPMi
May look like strong variations but you can easily reverse them (look at the “weaved” words).
But
YFwcNe4!B!oGpkw4tPMi and
YTwiN4t!t!eGprw4tPMi
Are a bit more obscure via a hard to reverse algorithm (when weaving omit a weave letter after a capital, double skip after a vowel) – but the algorithm is still based on the account which you want to log in to.
If you can remember something that you associate with the account – but others are unlikely to – and use that for the weave word, you get another layer of obfuscation.
So you remember one strong base “YwN4!!Gpw4tPMi”, a complex non-reversible weave algorithm, and something unique – but obscure – to the account. So for my examples:
Facebook > ArsePaper > “Andrex” (UK recognised Brand)
YAwdNr4e!!xGpw4tPMi
Twitter > BirdSong > Wraysford (lead character in the book)
YWwaN4y!f!oGprwd4tPMi
Not perfect, but it is memorable.
(That said “my algorithm” is totally different!)
David
This involves way to many mental gymnastics for the average end user.
Al
In many corporate environments, password managers are instant sacking events, for introducing third party software.
So, all this “use a password manager” is ineffectual, as it is merely a sticking plaster on the broken premise that is reality – having to maintain dozens of passwords (all with different lengths, character rules and ageing), without being able to do anything about it.
Paul Ducklin
I’m not suggesting that you install an unapproved password manager on a company computer.
But this wasn’t about corporate software rules, or the fact that the password manager could be considered merely treating a symptom. It was about whether a password manager would be safer for the OP that a system of lots of passwords that are only very slightly, and predictably, different.
In that context, I stand unreservedly by my recommendation.
Gerry
Businesses can be stupid about pass words – which sets the wrong culture
1) I need to reset a bank password. They send me one (paper) form to fill in with the new password and my new security questions and then to send it through the mail! (Never heard of mail interception – or corrupt employees?!). They don’t like it when I try to send the information in one data item per envelope – they do not have the means to reassemble it on receipt.
2) Companies send me AGM details and encourage me to vote electronically – using a “two part” security number. Both parts are printed on the same piece of paper!
Do they expect me to take security seriously?
APC
I’ve given up remembering passwords and use a password manager to remember the 190 sites I use!
TonyG
Well anything is only as secure as its weakest link. Long before CMS systems came along I created one for a number of organisations. One got hacked because he effectively published his user name in a post and his password was so weak that it was easily hacked.
Ironic that it is often the people who have most access (senior people) who are often the least cyber-secure. Somehow they cannot equate what they would do with physical security with what they do with cyber security. They would not leave their office open and papers out and not question anyone going through them.
Jazzy Bizzle
I am all for proper password security but in reality, I have been on the web for 10 years, I have used the same password, on most sites. I use derivatives (password x+SOME CHARACTERS) and I have never been subject to hacking, data theft or any such like.
Because I don’t tell people my password(s), and it’s not exactly easy to guess.
I don’t need to write my passwords down because I can remember them. This is a huge point. Not only that but forcing users to change passwords regularly I do not think is good security practise. Because users may remeber “m/\p1Rs” (My Apple Pie Is Really Scrummy) once but if you then make them change it, all they are likely to do is either add a “1” to the end or have to remember a whole new password. To the “non-techy” workforce this will probably mean they will write it down.
When can you ever really brute-force a password? Arguably never if it’s on a web-site. Most will lock you out after 3 or 4 incorrect attempts, or send you E-mail alerts.
Physical devices possibly, but you need physical access, which isn’t going to happen, unless it’s stolen, in which case the device they steal is worth more than anything in any of my bank accounts :-)
A long secure password may help if like we have read recently, people’s hashed/salted passwords are recovered and you can reverse engineer them by brute-forcing.
I do not know the statistics but I would guess 95% of password “hacking” isn’t actually hacking, it’s social engineering, or enticing users to download rubbish onto their machine which then key-logs. Ergo here, password security is irrelevant.
Nothing annoys me more than being FORCED to put a capital letter, or a special character, because look at how secure “P@ssw0rd” is……
Mark
There is a plus side to forcing periodic password resets though. When website credentials are copied through security breaches they can be quietly held for a couple of years before being sold on. Look at the current raft of 2012 passwords released now. Forcing password resets would mitigate this somewhat although I suppose you could extend your password reset timeframe. You’ve got the Twitter password that I used 4 years ago but I’ve changed that twice since then so it won’t do you any good.