Hitting The Century Mark

Riverbank Ruminations; Observations from The Banks of The Technology River

Tom Evans ~  Ashton Engineer Emeritus

This is the 100^th blog I’ve written for Ashton. The sales and marketing wizard over there (you know who you are) suggested that I might look back and see what has changed over the five years that it has taken to reach this milestone. Interestingly enough, the answer (ignoring the last six months) is ‘not much’. The changes in the last six months have been remarkable, but not so much in the technical sense and more in the ‘how we do things’ sense.

For some, five years might sound like a long time; For a 5-year-old child, it is a lifetime and for a 16-year-old waiting for 21, it may seem like forever. It is five generations of iPhones (or Samsung, etc.). Once you reach a certain age, certainly by 65, five years can slip by quickly. That has been the case for me. It hardly feels like five years have passed since I retired from my role as an engineer at Ashton, and started this blog. The focus has always been security and being on guard against those who don’t have your best interests at heart. Unfortunately, the list of things that have not really changed is longer than things that have changed significantly, unfortunately.

People Still Don’t Worry About Password Strength

A shallow search for ‘death of passwords’ brings up articles from 2014, even 2004, predicting the death of the traditional password. Yet, here we are in 2020 and we still start with a user name and password. 2FA, MFA, and biometrics are all out there and usually used in conjunction with passwords. So how have users reacted to the need for passwords? The table shows the worst, most commonly used passwords for the last five full years and 2020, so far.

Just to get a little more perspective I went back to 2011 and found much the same. Notice anything? This list is just the result of the search ‘worst password for 20XX’ and for each year you can get a list. I just included the top 5.  I didn’t go back any further. When it comes to choosing passwords, things have not gotten better. Even though good password managers are available, for free, users seem reluctant to follow good password policy: one password per account, random content, proper length (12-14 characters these days).  As a result, data breaches exposing poorly chosen passwords lead to successful credential stuffing attacks. I suspect that five years from now, the situation will be much the same.

Data Breaches Expose Even More Records

Let’s compare the 2015 and 2019 data. Just taking the top five breaches for the two years shows that the move to put data in the ‘cloud’ has had one impact. Huge amounts of data are available to be harvested.

We live in a time when data is everywhere, including where it should not be. The question is no longer if your data will be exposed but who will need to pay for your next year of free credit monitoring because they lost your data.

IT versus Users

There has always been tension between technology providers and technology consumers. The providers are convinced the consumers don’t know how to use the technology, and the consumers are convinced the providers exist to make their lives difficult. Security Awareness training is based on the idea that the user needs to watch out for traps and tricks. On the opposite side are those that say IT should protect the user so they don’t have to worry or be careful.

The sad part of the ‘IT should protect’ line of thinking is that IT does try. However, this is akin to saying that the automobile manufacturer should make sure the driver can’t be hurt when driving. Self-driving cars are the response to that line of thought, and we see they have a long way to go before they are trustworthy. End-users need to take some responsibility for their cyber-safety, while IT needs to continue to make it as easy as possible to do the right thing. Without some unforeseen breakthrough in data protection and user interfaces, this situation will continue.

Is It a Generational Thing?

What has changed? The ‘old guard’ (Boomers) have been replaced by the ‘new guard’ (Millenials). While every generation has had their nicknames and some general traits, it seems that when we get to the point where Millennials are entering the workforce (the late 90’s), we have much more friction than is typical. Perhaps due to the pervasiveness of information and the need to fill news sources, more was made of the friction than has been done with previous generations. One trait that seems to characterize Millennials is that data security is less prominent in thinking and decision making. So much of modern life is online that it is hard to keep up a constant watchfulness of how we make that data available. Unless you are the direct victim of identity theft, data breaches are nothing more than a news item and not a front-page item at that. The ‘boomer’ viewpoint of data is more like this Dilbert cartoon from 1996:

The takeaway should be that data can be insecure in any setting. As long as there is a way for unscrupulous people to monetize data theft, it will happen. As long as we need to exchange data to accomplish things, that data is at risk. Who is responsible to protect the data (yours and mine)? If it is you and me, do we have the tools and information we need to do the job? Can we trust someone else to do it for us? Those questions have not changed since data started going online, and it definitely won’t change in the future. The ‘boomer’ in me says that I need to take charge as much as I can but the ‘Millennial’ that has rubbed off on me says ‘the data will get out no matter what’.  I would like to see more ‘boomer’ when it comes to data security, but I think that the Millennial attitude will take dominance as time passes. Let’s see if that changes.