Thus goes the old adage.
Of all the fields we would expect the ‘experts’ to follow their own rules, data security would probably be it. With a growing list of high profile hacks caused by poor security practices, infosec professionals are well aware what’s at risk from being careless in this area.
Unfortunately, the data suggests that even the pros are being a bit lax when it comes to securing their digital identities.
In a recent study, the California based cyber firm Lastline published findings of trends among IT professionals when it comes to password usage. The data, collected during the recent Infosecurity Europe conference in London, revealed what can aptly be described as the “Achilles heel” of security experts.
The weakness is nothing new. In fact, it is a well-known syndrome that anyone with access to multiple systems is at risk for: reusing passwords.
A Rookie Mistake
As is well known, reusing passwords across multiple accounts makes it much easier for malicious actors to compromise any additional account once one of them is breached. An IT novice could be forgiven for this mistake; not understanding the implications of this very risky practice, or perhaps thinking password reuse constitutes some rudimentary single sign-on (SSO) system.
Either way, anyone trained in safeguarding digital networks and practicing this craft for a living is certainly aware of the dangers tied to using the same password for multiple accounts. Indeed, security experts have been railing about the trend of password reuse and the threat it poses to enterprises for years.
“The fact that elements of the security community are not listening to their own advice around security best practices and setting a good example is somewhat worrying,”
said Andy Norton, director of threat intelligence at Lastline.
The Risks Pile Up
In recent months, the world of IT is continuing to see numerous password related hacks, affecting thousands of users worldwide and causing millions of dollars in damages. In most of these instances, cyber criminals actually had to work to execute the breach. The majority of hacks were the result of phishing campaigns, social engineering, and other malicious activities. Many breaches are due to overly simple passwords. But at least there, hackers had to spend the time guessing.
Hacks that originate in password reuse are different. Once the password for one account is exposed, its game-over for all other systems the user has access to. No additional effort is required on the hackers’ part. They simply login and they’re ready to roll.
Don’t Fix the System, Replace it
As an infosec professional myself, and as someone who specializes in digital authentication, it hurts to see other IT experts reusing passwords. I understand password-based systems put a heavy burden on users–so many passwords to remember, the cumbersome nature of password vaults and managers–but it still hurts.
What hits me so hard is not just these IT managers putting their own accounts at risk. That would be bad enough, especially considering the privileged access security executives typically have to company networks. The worst part about this trend is what it says regarding organization-wide security practices: if the security pros themselves can’t get it right when it comes to passwords reuse, how are they supposed to effectively enforce that and similar policies throughout their companies?
If we’ve learned anything from the long line of password hacks over the recent period, it’s this: no policy or set of policies is going to solve all of the password’s vulnerabilities.
When human users are involved, secrets that must be safeguarded and stored will always be in danger.
Indeed, from all the risks associated with passwords, this is likely the biggest one. Human users are naturally inclined to find ways of simplifying their authentication responsibilities.They’ll create simple passwords, they’ll use insecure means of remembering them, and they’ll reuse them.
For this reason alone, password-based authentication is and always will be, inherently flawed.
The solution to password authentication systems is not to fix their shortcomings but to get rid of them. The answer is going passwordless. Utilizing user friendly out-of-band passwordless platforms, means not only faster and simpler user experience, but also a vastly more secure network.
What a Government Security Audit Teaches us About Password Vulnerabilities