In my previous articles, I discussed the perceived problems with passwords and how multifactor authentication improves cybersecurity. While almost everyone loves to hate passwords, passwords are not the real problem. Want to know what is? Employee-managed passwords. We don’t have a password problem; we have a password management problem.
Employees are the weakest link in any enterprise computer network for three reasons:
- They do an abysmal job of generating passwords. The passwords they choose are easy to crack.
- They can’t remember their passwords, so they write them down and store them in places where they (and others) can find them.
- Employees are susceptible to social engineering schemes (aka human hacking), which hackers use to get people to give up their passwords voluntarily.
When employees are given the responsibility to generate, know, remember, type and manage passwords, IT has inadvertently given employees the job title “Network Security Manager.”
Something to Think About
You may remember the movie “Catch Me If You Can” starring Leonardo DiCaprio, Tom Hanks and Christopher Walken. The movie was about Frank Abagnale, who in 1963 started as a con artist (social engineer). Fast-forward to the computer age when the poster kid for computer social engineering is Kevin Mitnick. Mitnick was a hacker and fugitive, breaking into computer networks, creating false identities, and running from authorities for years. At one point, when the FBI was closing in to arrest Mitnick, he escaped, but not before leaving a fresh box of donuts in the refrigerator marked “FBI donuts.”
In his book, “The Art of Deception,” Mitnick shares how he used social engineering, not hacking tools, to discover passwords so he could break into computers. Mitnick also said: “Testifying before Congress, I explained that I could often get passwords and other pieces of sensitive information from companies by pretending to be someone else and just asking for it.” He goes on to explain that social engineering takes advantage of people’s gullibility, naiveté, ignorance and stupidity.
A quote from Albert Einstein sums up Mitnick’s philosophy:
“Only two things are infinite, the universe and human stupidity, and I’m not sure about the former.”
Like Frank Abagnale, Mitnick was eventually caught, served his time and now runs a computer security consulting firm where he helps businesses secure their computer networks through education. I’m sure he would agree that one of the best ways to prevent data breaches is to get the employee out of the role of network security manager!
Myth: Users Must Know Their Passwords
The concept of a password or passphrase dates back to ancient times. They were required to access places like a castle, camp or even a professional guild, such as the Freemasons Society. A guardian would challenge the visitor for the password. If the visitor answered correctly, he was recognized as a friend and allowed to pass. If he used the wrong password, swords were drawn.
In modern times, computer passwords have become the digital authentication representing something the user knows. Where and how a person reveals their password has changed significantly (from a sentry to a computer), and it’s time for an update to our understanding of how passwords should and can function in the 21st century.
The current definition of “password,” according to Dictionary.com, is:
- A secret word or expression used by authorized persons to prove their right to access, information, etc.
- A word or other string of characters sometimes kept secret or confidential, must be supplied by a user in order to gain full or partial access to a multiuser computer system or its data resources.
One of the biggest misconceptions about passwords is that passwords must be the thing that a person knows, types or speaks. That is literally an ancient and false belief! In the wake of massive computer advancements, why are humans still being asked to generate, know and reveal passwords? Shouldn’t technology be doing that? Encryption keys are not typed.
Here’s my take on how an updated definition of “password” should look:
- A shared secret expression or other string of characters exchanged human-to-human, human-to-computer, or computer-to-computer for the purpose of authenticating access to facilities, services, computer networks and/or data.
Not only does a user not need to know a login password, but she also shouldn’t have to remember it or type it. This is good for both the end user and network security because it diminishes the effectiveness of social engineering hacks. How can an employee reveal something she doesn’t even know?
Be sure to check out my next article, “Weak Security Boosts High Costs.”
Dovell Bonnett has been creating computer security solutions for over 25 years. He passionately believes that technology should work for humans, and not the other way around. This passion lead him to create innovative solutions that protect businesses from cyberattacks, free individual computer users from cumbersome security policies and put IT administrators back in control of their networks. He solves business security needs by incorporating multiple applications onto single credentials for contact or contactless smartcards. In 2005, he founded Access Smart LLC to provide logical access control solutions. His premiere product, Power LogOn, combines Multi-Factor Authentication and Enterprise Password Management on a government-issued ID badge (CAC, PIV, PIV-I, CIV, etc.).