Many compromises, well all of them, are caused by exploiting a weakness. And, passwords are by far the most common weakness.
By Ed Higgins
When will the problem of password compromises be solved?
Perhaps never. But, come on people! We mustn't make it so easy for a novice bad-hacker to steal your personal data, identity, credit and bank card accounts, email accounts, Facebook and Twitter accounts, PCs, and other stuff by neglecting your duty to use complex pass-phrases instead of passwords like: password, or password123. Did you know that these example simple passwords can be guessed by brute force in a matter of .0001 seconds? And using the same password for every account is bad, because once a hacker gains control of one account, their primary objective in most cases is to gain access to as much as possible with certain focus on tangible things like credit and bank accounts. Hence once the bad actor accesses, say for example, your email account, they will determine all of your other accounts associated with that email address in just a matter of minutes (most cases, this process is automated).
They say, "Security Problems Exist When the Human Touches the Computer". This is not entirely true, since modern IT and Security groups work together to harden systems, by closing default ports, implementing security controls and policies on the systems, and testing them periodically for existing and new vulnerabilities. By installing anti-virus software on your personal computer, you are essentially improving its security beyond its default settings. But, any mistake such as an open port, a open shared service, or a weak password on an administrative user account can create a tiny chink in the armor by which a bad actor will quickly detect and exploit.
We need to get past simple passwords, and think of pass-phrases and use of special characters. Take the following sentence for example, or make use a sentence that you can remember and recall readily.
"Today was the best day of my month, because it is sunny outside!"
Now take the first character of every word in the sentence and splice them together to produce a pass-phrase as follows. Yes, it would be cool to include the quotation marks, comma, and exclamation point.
"Twtbdomm,biiso!"
The above pass-phrase would be considered a "strong password" and could literally take a hacker a thousand years attempting to crack using automated brute force methods. If everyone would employ password creation practices such as the above, then we'd like cut down the number of individual attacks perhaps as much as by 80%. There are other methods for cracking user accounts, but the above is a great start and a strong pass-phrase is the only defense against sophisticated password cracking mechanisms.
Since 1996, I have repeated the mantra, sometimes on deaf ears: "Security is Everyone's Responsibility". It's not the responsibility of the sys admin, not the help desk, not the CISO, not the email system manager, but YOU. Sadly, your negligence to heeding the warnings of the aforementioned people, is often the cause given to good IT and Security personnel who get fired because an larger incident that you likely caused.
Think about the recent security breach during a political campaign where one or two weak passwords were compromised allowing thousands of sensitive data and emails to become leaked to the public. One simple password caused an embarrassing flood of private conversations, political strategies, and potentially nefarious campaign activities to become revealed thereby contributing to a political candidate losing an election.
People can be a tremendous asset or they can be a tremendous liability. Admittedly, many systems today do not allow the user to create a simple password. And these systems also require password changes at frequent but reasonable intervals, denying use of previous passwords, etc. But, there remain some systems that allow simple passwords. Your own PC is such an example.
There will come a day when ALL systems have more advanced controls such that there will be no such thing as a password, or even pass-phrases. These will be replaced by technologies that you carry with you. Examples of these, called multi-factor (or 2 factor) provide a hardware token (a USB device or a card) and you also provide a pin. Another example of multi-factor also includes fingerprint or retina scan technology which use a part of your body as the second factor. describe 2 factor as "bring something (your device, or you person), know something (your pin)" Each of these separately don't offer much security, but together they create a more powerful combination. Critical systems within corporate environments and governments have employed multi-factor authentication for many years.
As long as passwords are used as a security measure between the world and your information, you owe it to yourself, your employer, and your family to at least use a strong pass-phrase.
