Baseball. Sunshine. Welcome.
Do those words ring a bell? They might, if you are among those using lazy passwords to protect yourself online. In October 2012 SplashData, which produces password-management apps, released its annual “Worst Passwords” list, a compilation of the (ostensibly) secret words most commonly cracked by hackers.
“Password” perennially tops the list, followed by “123456” and its hastily hacked cousin “12345678.” “trustno1” is an ironic easy target for hackers. And “letmein” is just too easy.
The secret world of passwords has been in the news lately, as hackers have become increasingly skilled at figuring out codes to enter sites—business or personal—and snatching whatever they want. In the case of enterprises, the target can be data that can cripple or destroy a business. When the hacking is done to individuals, the theft can range from monetary loss to the heist of dignity. (Just think of photos stolen from celebrities’ cell phones.)
“Even though each year hacking tools get more sophisticated, thieves still tend to prefer easy targets,” said Morgan Slain, SplashData CEO, when the company released its list. “Just a little bit more effort in choosing better passwords will go a long way toward making you safer online.”
Figures on the average number of passwords each web user employs vary. Think how many you juggle in your memory or on some tucked-away file—or even worse, on a sticky note inside your desk drawer. Think how often you peck your passwords onto keyboards or phone screens each day. Some of your passwords are likely duplicates. Some are permutations. Some you have likely forgotten. (There are password-storing apps that work well—as long as you remember the password to access them.)
The sad truth is this: all passwords are vulnerable to varying degrees.
“2012 may have been the year that the password broke,” wrote Robert McMillan in January’s WIRED piece that detailed Google’s “war on the password” with its experimental password substitutes, such as cryptographic cards and rings that verify the finger—and the identity—of the person in front of the screen.
“Passwords are a cheap and easy way to authenticate web surfers, but they are not secure enough for today’s Internet, and they never will be,” McMillan wrote.
It’s scary stuff. So where do we fit in…those of us who make our livings securing information, data and the enterprises and individuals that require those things to be private in order to operate? Is the mutating world of passwords good for us or a tricky new obstacle?
The answer is both. When new problems arise, there is greater demand for problem-solvers…greater demand for professionals with the skills, training, backgrounds and certifications that enable them to, in this case, contribute to the cause of ensuring passwords are as impenetrable as possible.
On the flip side, professionals in information security must also stay abreast of these changes, which can be tricky. When the battle shifts, the professionals have to adapt and do it quickly.
I take pride in knowing that the 100,000+ members of ISACA have a long history of that adaptability. If we truly are all involved in this challenge to passwords, I am confident in the skills of our constituents.
Greg Grocholski, CISA
International President, ISACA and the IT Governance Institute
View full post on ISACA Now: Posts