If It Ain’t Broke…

Riverbank Ruminations; Observations from The Banks of The Technology River

Tom Evans ~  Ashton Engineer Emeritus


If it aint broke

The rest of the saying is “Don’t fix it”. The idea being that tinkering with something that works may break it or make it work less effectively than it does now. When I was working in IT support, the mantra was “Better is the enemy of good” because as a tech guy, you always want to tweak a solution to make it a little ‘better’. Sometimes that was a rabbit hole that led to a lot of work for little reward, except more work. What happens if it is broken? What happens if it is a very important something that is broken? How about if it is your security that is broken? Isn’t that worth fixing?

In this article about removing passwords from accounts and going passwordless, there is a quote from Bret Arsenault, Chief Information Security Officer (CISO) at Microsoft who likes to say, “Hackers don’t break in, they log in.” While there are some exceptions to this, in my mind, it does highlight the fact that passwords as security is a concept that no longer is workable. The article cites two reasons for this: human nature and hacker nature.

As our online usage increases, following the correct practice of NOT reusing a password becomes more work than the average user wants to make. Human nature. While a solution for this exists (password managers), that is still more work than most users want to engage in. My password manager has 277 entries. They all have unique passwords so remembering them all is not an option. I have read that having 100-200 accounts is not unusual for users today, especially if you count work-related passwords.

The proliferation of online accounts and the concomitant need for many passwords leads to the problem of hackers ‘logging in’ instead of breaking in. The Verizon 2021 Data Breach Investigation Report analyzed 29,207 incidents, of which 5,258 were confirmed breaches. The report states:

Breaches, as always, continue to be mostly due to external, financially motivated actors. And 61% of breaches involved credential data.

Does that number shock you? Probably not. Breaches are so common that when the numbers of records affected are tens of thousands to millions, a general numbness results when a new breach is announced. The sad fact is that most of your information has already been exposed. If you have reused passwords, multiple accounts are at risk. Even if you have been scrupulous about password hygiene, your passwords may have been exposed by someone else’s mistake. Your passwords will get out there and hackers will use them. That’s ‘hacker nature’.  So what is to be done?

Some good security methods exist right now. MFA (multifactor authentication, but NOT SMS-based) can go a long way in preventing hackers from logging in to your account, even if they have the password. Hardware security keys are even more secure but less convenient than an authenticator app on your phone or laptop. Unfortunately, while authenticator-based methods are offered by some, it is by no means the norm. Hardware security keys are even less commonly used.

That brings us to a situation somewhat similar to a person with diabetes who  needs to manage their condition. Diabetes cannot be cured but it can be controlled. That control is up to the person. It may include watching what is eaten and when. It may involve weight management. It may involve insulin injections or getting a pump surgically installed. All of this is more work than just eating what you want when you want. Diabetes can be fatal if not treated properly. We have some friends who had a family member with diabetes. This person was not willing to be as careful about their diet as was required to control their diabetes. That person lost a leg as a consquence.

Until a more secure authentication scheme becomes universal to replace passwords, users need to take appropriate steps. I suspect that some more secure form of authentication will become widespread eventually, just like there may eventually be a cure for diabetes. In the meantime, are you willing to do the things necessary to keep your information secure?

Someone with diabetes cannot eat just anything anytime and not suffer the consequences. We can’t click on a link without thinking, because there are consequences. A person with diabetes may need to monitor their glucose levels regularly. Checking your credit report, freezing your report, and setting up notifications for all transactions on your financial accounts will help diagnose problems early on. A person with diabetes needs to be more aware of the ingredients in what they eat. Certain foods and ingredients that may not be harmful to others may cause problems for the diabetic. Similarly, we need to examine emails more closely because the bad guys are getting better at disguising phishing emails.

Once a person requires additional insulin, whether via injections or with a pump, they take on a much more active role in their health care. Getting and using a password manager to assure single-use passwords will go a long way in reducing exposure to cybercrime. Taking the extra step of using an authenticator app whenever possible as part of an MFA approach will add a very good layer of security.

We are stuck with passwords for some time. They will continue to be the way we authenticate, if not at work, then certainly for personal accounts. Passwords as a security measure are simple, easily understood, and have a history as long as the Internet. Unfortunately, it is no longer an adequate security measure by itself. It is broken and it needs to be fixed. Until it is, become more active in your cybersecurity.