As computers have increased the flow of and access to information, they have also made it easier for the bad guys to get to our data. Hence the need for computer security. Back in the early days of the internet, security was not a primary consideration. Today, security is a must. The foundation of computer security has been the password. We all hate passwords. Because security is inconvenient, many hate security as well.
I got to wondering about the state of passwords over the history of the internet. I fired up Google and started searching for “end of passwords”. I decided to search in decade chunks. I did not look at all the pages returned but looked at the first few to get an idea of what was out there.
Searching 1990-1999 returned mostly tech articles dealing with cryptoanalysis, authentication, coding, and other technical aspects of security.
Searching 2000-2010 returned (among others) this article:
Moving along to 2011-2020 we find a recurring theme:
Two articles that emphasize ‘Past performance is not a guarantee of future gains’ bear a little closer examination. Remembering the Net crash of ’88 (November 2, 1998) discusses the “Morris Worm” of 1988. If you recall your ancient history, the worm crashed 5% to 10% of the 60,000 hosts on the internet. It was not destructive and eventually, Morris sold his startup Viaweb to Yahoo for $49 million. Why was his worm effective? Did security practices change because of it?
To get past log-in screens, Morris relied on user laziness. His worm found lists of users, then went password hunting. First, it looked for users who’d picked passwords that were the same as their username. Then it tried user names against a list of 432 commonly used passwords. Some schools acknowledged half their accounts were cracked using this method, said Eugene Spafford, professor of computer science at Purdue.
User’s attitudes towards passwords have changed little in the intervening years. If you doubt that, just google ‘worst passwords’ and you will find 123456 in the top 3 for the last several years. End users are not the only culprits, then and now.
“Poor passwords? You bet, people are still setting them,” he said. In fact, several computer experts complained that plenty of system administrators don’t change default passwords when setting up servers. “People set up firewalls, then trust all machines within the firewall. People are used to the idea of self-replicating code. They’re downloading Java applets and Active-X applets all the time.
Unfortunately, convenience is often chosen over security. Hence, poor password choice, password reuse, and password sharing lead to account compromises on a grand scale. From the article:
“People want software that is fast and easy to use — you rarely here them say they want a product that’s secure,” he said. “When there were lots of tragic accidents, then car design changed.”
Back in 1997 Create Secure but Easy to Remember Passwords (July 16, 1997) offered this list of suggestions for password maintenance.
So far, past performance has convinced me that passwords are going to be part of the security environment for the foreseeable future. I hope I am wrong. In the meantime, past performance has also shown that using only passwords is not a good security plan (you need two factor- or multifactor-authentication, as well). Good security is not currently convenient but it is necessary.
If you'd like to learn more about securing your network or training your team on how to avoid becoming a victim, give the Ashton team a call at 26 397-4080.