Past performance is no guarantee of future gains

If you have heard any commercials for financial advisors, the above statement is part of every pitch. Of course, they are warning that just because an investment has done well, you can’t be sure it will continue to do well. Sometimes past performance is all we have to go on. We can always be hopeful that things will get better and we often assume that technology will help that future to be realized. Computers certainly have contributed to some things being done better and more efficiently. Like most technology however, there are negative factors also.

As computers have increased the flow of and access to information, they have also made it easier for the bad guys to get to our data. Hence the need for computer security. Back in the early days of the internet, security was not a primary consideration. Today, security is a must. The foundation of computer security has been the password. We all hate passwords. Because security is inconvenient, many hate security as well.

I got to wondering about the state of passwords over the history of the internet. I fired up Google and started searching for “end of passwords”. I decided to search in decade chunks. I did not look at all the pages returned but looked at the first few to get an idea of what was out there.

Searching 1990-1999 returned mostly tech articles dealing with cryptoanalysis, authentication, coding, and other technical aspects of security.

Searching 2000-2010 returned (among others) this article:

• Gates predicts death of the password (February 25, 2004)

Moving along to 2011-2020 we find a recurring theme:

• Logrr: The End of Passwords (July 16, 2013)
• The end of passwords: biometrics are coming but do risks outweigh benefits? (December 8, 2015)
• Passwords Are on the Way Out, and It’s about Time (August 1, 2016)
• The end of passwords: Industry experts explore the possibilities and challenges (April 13, 2020)

Two articles that emphasize ‘Past performance is not a guarantee of future gains’ bear a little closer examination. Remembering the Net crash of ’88 (November 2, 1998) discusses the “Morris Worm” of 1988. If you recall your ancient history, the worm crashed 5% to 10% of the 60,000 hosts on the internet. It was not destructive and eventually, Morris sold his startup Viaweb to Yahoo for $49 million. Why was his worm effective? Did security practices change because of it?

To get past log-in screens, Morris relied on user laziness. His worm found lists of users, then went password hunting. First, it looked for users who’d picked passwords that were the same as their username. Then it tried user names against a list of 432 commonly used passwords. Some schools acknowledged half their accounts were cracked using this method, said Eugene Spafford, professor of computer science at Purdue.

User’s attitudes towards passwords have changed little in the intervening years. If you doubt that, just google ‘worst passwords’ and you will find 123456 in the top 3 for the last several years. End users are not the only culprits, then and now.

“Poor passwords? You bet, people are still setting them,” he said. In fact, several computer experts complained that plenty of system administrators don’t change default passwords when setting up servers. “People set up firewalls, then trust all machines within the firewall. People are used to the idea of self-replicating code. They’re downloading Java applets and Active-X applets all the time.

People Continue to Use Unsafe Passwords

Unfortunately, convenience is often chosen over security. Hence, poor password choice, password reuse, and password sharing lead to account compromises on a grand scale. From the article:

“People want software that is fast and easy to use — you rarely here them say they want a product that’s secure,” he said. “When there were lots of tragic accidents, then car design changed.”

Back in 1997 Create Secure but Easy to Remember Passwords (July 16, 1997) offered this list of suggestions for password maintenance.

• Passwords are supposed to keep something safe and are not meant to be lost. (Unfortunately, today data breaches lose them for you all the time)
• Do not, in any way, tell anyone your password. (Hear, hear)
• Don’t trust anyone with your password. (Seconded with gusto)
  1. Just keep it to yourself, like a toothbrush.
• On the internet, never submit your password from one site on another site.
  1. This can be dangerous. (Not can be, REALLY, REALLY is)
• Be wary of unsecured websites. (HTTPS is not the green light it used to be)
• Type as fast as possible so no one can detect your password. (Keyloggers were not popular then)
• Do not write your password down. (Use a password manager)
• If possible, change your password regularly, especially if you have a master password. (NO! Change only when you know it may have been compromised)
• Always think of your password, so it will be constantly in your mind. (No need if you use a password manager)
  1. Then, no more forgotten passwords.
• Do not fret too much about remembering passwords. (Once more, USE A PASSWORD MANAGER)
  1. You will forget it faster if you worry about it.

So far, past performance has convinced me that passwords are going to be part of the security environment for the foreseeable future. I hope I am wrong. In the meantime, past performance has also shown that using only passwords is not a good security plan (you need two factor- or multifactor-authentication, as well). Good security is not currently convenient but it is necessary.

If you’d like to learn more about securing your network or training your team on how to avoid becoming a victim, give the Ashton team a call at 26 397-4080.