We are terrible at making passwords
SolarWinds is a software developer that helps manage the network infrastructure of more than 300,000 companies. It announced in December 2020 that its Orion platform had been compromised by a cyberattack. Described as the "largest and most sophisticated hack ever", it had wearily familiar roots. An intern used the password “solarwinds123” to secure a publicly accessible server.
I've got a stronger password than 'solarwinds123' to stop my kids from watching too much YouTube on their iPad
The intern could have at least capitalised the S and put an ! at the end like everyone else. That would have satisfied the requirement of uppercase and special characters, so much stronger right? No.
High stakes
Companies spent an average of $2,700 per employee on cybersecurity in 2020 and the average data breach cost was $3.9 million. Strong employee passwords are critical in protecting your organisation from the outside world. This is too important to keep getting wrong. The good news is you can fix this without spending a fortune. First though, you need to face an uncomfortable truth.
People are predictable
We are not good at originality. Our predictability is brutally exposed by the passwords we make. When asked to pick random numbers, letters or words we immediately think of the same combinations as everyone else.
| Days | wednesday |
|---|---|
| Replacing characters | w3dn35d@y |
| Capitals and exclamations | Wednesday! |
| Numbers at end | Wednesday3 |
| Adjacent letters | asdfg |
| Common words | elephant |
Password changes are a pain
When forced to change a password we try to make a new one as as close as possible to our current password. This often means incrementing a number at the end, or changing the word Sunday to Monday. We do this to avoid the work of having to think up complex passwords and then remember them! We absolutely don't want to forget a password and have all the additional work a reset would involve.
Of course we’re not fooling anyone, least of all machine learning algorithms that can exploit any non-random trait to predict our passwords. Our predictable password habits are an open book to algorithms trained on large databases of previously hacked passwords.
This is who we are
Despite all the evidence to the contrary, the fantasy persists that people can be taught, persuaded and forced into making strong passwords. Instead of looking for solutions that accommodate real world behaviour, we continue to insist that people are the problem.
A new approach is needed for companies that are serious about protecting their data, because if you manage an organisation your employees will be using easily guessable passwords. Yes 😱 your employees are normal people making passwords like the SolarWinds intern.
What can you do about it?
We’ve been conditioned to think that writing a password down is always a bad idea. But if done correctly it can actually improve your security. A password made up of two parts is stronger than the sum of its parts:
| Random password written down | + | Current password in your head |
Combining these two halves together into a single password gives you the best protection of each individual half. A cyber attacker won’t have access to the written half and will no longer be able to use brute force to guess your password. A thief will have the written note, but no access to the password in your head. Even if the note is stolen you’re still protected by the half of the password in your head as you are now.
So keep asking your employees to do better than “solarwinds123” but also use this two halves approach. Have them write down and add an unmemorable random code to the end of the password in their head. Using the password “solarwinds123faT2qYefP” is much safer even if half of it is written down.
Final thought, overcoming human inertia
Even writing down a random password is actually a lot to ask of for most people (I don’t have a pen and what random letter should I put after wR4 ?). There’s that pesky real-world-behaviour thing again.
This was the idea behind the Enterprise Qwertycard. We recognise human nature and want to make security as easy as possible. We literally give you a bunch of scratch cards with random codes already printed on them.
Make things easy for people and it will work, make it difficult and people will just do what people always do. Monday123!
