Why Computer Passwords Are Still a Problem in 2019

Originally Published on Nextgov on January 11th, 2019

By the #CyberAvengers Paul Ferrillo, Chuck Brooks, Kenneth Holley, George Platsis, Shawn Tuma, George E. Thomas Jr., Chris Veltsos

There was a recent article before the holiday break on the complexity of computer passwords. The top “worst” password for 2018 was “123456.” Close behind in second place was “password.” They were also in first and second place in 2017. Slightly more complex was “123456789,” in third place in 2018, with the one-character shorter version, “12345678” just behind in fourth place. You get the gist.

Passwords are one of the critical problems in cybersecurity today. They are too easy to guess. They are too easy to break. All a hacker needs is your user ID (say, e.g. notsodifficult@password.com) and he or she can be off to the races in a matter of minutes invading your employee email account. Likely he also will be able to raid many of your other online accounts (like shopping, online gaming and streaming video) because you thought your lame password was so tricky that it was worthy of reusing in your 10 other accounts. The technical term for what happens here is an account takeover. In this case times 10. Re-using a lame password is problem one.

Problem two is social media. We are enamored with sharing information with our family and friends. That is good. Unfortunately, we share too much: names, places you went on vacation, names of dogs and cats and other animals, even grandparents’ names and locations. That is all good, except when those same names of places and dogs show up in your password.

Another part of the problem simply what you read about daily in the newspapers and blogs: in many of the largest breaches, many millions of passwords were stolen in 2017 and 2018 by third-party cyber criminals and nation-state attackers. If you weren’t able to reset all those passwords, you could be at risk across the board where you reused passwords in other places.

The last problem is spear phishing. Sometimes, cybercriminals are able to mimic the look and feel of a real company’s or bank’s letterhead or website, and ask the user in a tricky email for his user ID to help “solve a problem.” Except, the user doesn’t notice that the email comes from www,willsfargo,com or www,citibenk,com [yes, we replaced the periods with commas to prevent sending you there]—spoofed website addresses that are obviously not from these institutions. The user, being too busy with Christmas shopping, doesn’t notice the spoofing and enters his ID and password. This creates the stolen password problem and account takeover problem once again.

...read the rest on Nextgov...