Are you using the same password on different systems? A thought from Mike Gillespie this #WorldPasswordDay
News and information from the Advent IM team.
Managing passwords continues to be a major challenge for any organisation. Our users continue to be told that passwords must be longish, complexish and changed regularly.
Speaking at a conference in 2004 – yes that long ago! – Bill Gates predicted that passwords would soon reach the end of their life, saying that passwords cannot “meet the challenge” of keeping critical information secure. He went on to say “There is no doubt that over time, people are going to rely less and less on passwords. People use the same password on different systems, they write them down and they just don’t meet the challenge for anything you really want to secure.”
Here we are then. World Password Day 2022. Password use has proliferated rather than diminished and continues to be the default method of authentication for a huge range of services, both at work and at home.
Users continue to use the same password on different systems, to write them down and they still do not really meet the requirements of quality security control. Worse, there is plenty of evidence that people just are not choosing anywhere near what might be considered a quality password despite what they are being told.
In 2021, the National Cyber Security Centre (NCSC) first ‘UK cyber survey’ was published alongside the global password risk list. Amongst a host of findings was that 23.2 million victim accounts worldwide used 123456 as their password.
At the top of the top 100,000 passwords published in the Have I Been Pwned (https://haveibeenpwned.com) data set compiled by Troy Hunt are:
Inevitably there are then numerous variations and permutations of these such as 654321 and 1q2w3e4r5t, the latter of which might, on the face of it, seem like a secure password, being a combination of letters and numbers. However, the fact it is within the top 20 of the top 100,000 would appear to indicate that a) it is quite popular and b) it already sits in an attacker’s database of passwords to be used.
Occasionally there are some more amusing appearances, including a proliferation of swear words – users getting frustrated perhaps? But in the main, it’s a list of people’s first names, football teams, colours and foodstuff – chocolate anyone? Yes, it’s in there.
So why is this? Well, one argument is that the continuing demand from organisations for users to change their passwords every 30 days or so actually degrades our ability to keep choosing good ones, hence the popularity of password1, password 2, password 3, and so on into infinity and beyond.
Do any of our readers know where this requirement comes from? No, nor do many of the practitioners who keep insisting on it. In fact, it has almost no basis in science at all, it was one of the early computer controls that were thought to be a good idea and it stuck. In 2017, Ciaran Martin, the head of the National Cyber Security Centre at the time rubbished the practice of changing passwords on a monthly basis saying that it was the same as expecting you to remember a new 600 digit number every month. Yet, 5 years on many organisations are still doing the same old thing and expecting a different outcome – something that is often referred to as Einstein’s Theory of Quantum Insanity.
Modern guidance advocates a greater reliance on people, technical and organisational measures, blended together, with passwords forming just one part of a much wider, and holistic approach to managing information access.
At the heart of good password hygiene, for me, is education. There is no point simply telling our people to choose good passwords and then being surprised when they do not. The onus is on us as professionals to help our people to understand what good looks like, to give them the knowledge and the tools to do the right thing and to support them by implementing technology that makes doing the right thing intuitively. We need to set people up to succeed not to fail.
The truth is because it is a low-cost, simple to implement, and largely technology-agnostic security control then the use of passwords across the Internet is set to continue for years to come. It is time to break the cycle of insanity and do something different. Oh, and if you are one of those users who has rebelled all these years and refused to change your password every 30 days, well done you……..unless, of course, your password is in the top 100,000 in which case maybe a change is overdue.
Mike Gillespie, Managing Director, Advent IM