“What’s your password?” you ask as you patiently wait with fingers poised over a keyboard for your friend to give you the answer.
“It’s password1234”
Scenes like this are all too common, albeit probably to a much lesser extent recently due to the swathe of high-profile hacks. Password security is an issue that doesn’t seem to be discussed very often, however, in the wake of the massive DDoS hack on Dyn last week, it could, and should be entering the conversation.
That’s because many of the compromised devices used to facilitate the attack hadn’t had their default passwords altered by the users. I’ll be the first to admit that managing dozens of passwords, especially when at an organization where multiple users need access to them, can be a headache. You want to make a code that is secure while being extremely memorable to cut down on micromanagement of passwords. Having the same words and numbers, or a variation, can also cut down on the sheer number of passwords you need to remember. If you can recall one you can most likely recall the others.
However, we must ask ourselves: is this really enough effort?
On most password prompts, there are tips and requirements: you must use at least one uppercase and lowercase letter; you must use a number or a nonalphanumeric character; do not use birthdays or your name.
These are good considerations, however the intent behind them may fall short when actually looking at how people implement password guidance.
Many people assume that a password without their name or birthday is ultra-secure, after all why would a hacker be able to know the middle name of their aunt? However, this false sense of security leads to repetition of passwords for multiple services.
Although the use of sequential numbers is likely well-avoided, many people switch one or two numbers around (132 instead of 123) or use the year they, or a parent, were born/graduated/got married.
Many people don’t realize that those who are perpetrating hacks are well-aware of these trends, and their vulnerabilities. Given that many companies invest heavily in cyber and data security, the real danger comes from consumer security oversights.
It’s time that we help ourselves out. Create several randomized and unrelated passwords to use for your various accounts. Keep tabs on how long a password has been in use and retire it after 6 months. Never use a default password setting on a device connected to the internet. Never repeat passwords.
It’s time that internet and connected-device users took responsibility for their own data and invested in cyber-security habits that can only help increase safety and prevent mass-scale attacks from happening in the future.