It’s time to confess your cyber sins. It’s OK. I’m a professional.
Have you ever used the same password more than once?
Don’t be ashamed. We’ve all done it. Repeat after me:
“Hello, my name is __________ and I am a password re-user.”
“We love you __________.”
Was it Confucius (or was that Sun Tzu?) who said, “Know thy enemy.” Corrie Ten Boom was a bit more descriptive, “The first step on the way to victory is to recognize the enemy.”
In the case of passwords, we need to be more specific:
“We have met the enemy and he is us.” – Walt Kelly
Perhaps your employer, like many responsible organizations, has quite a few requirements for the creation and management of our passwords — rightfully so! As I’ll describe below, our passwords are remarkably vulnerable, due of course, to human nature. (We have met the enemy …)
An acquaintance of mine was called in to gain access to a major manufacturing company in a “pen test.” So … he first went out to LinkedIn and gathered the profiles of 100 employees from Company B. He then proceeded to do a bit of research with Professor Google, and discovered the email domain and username format for Company B, along with how to access the company’s email online.
(Try this yourself: Open a new browser window, and search for “marriott email access”; what’s the first result?)
Now Company B had a policy that everyone’s password had to be changed every 90 days, or 4 times per year. This was a responsible company trying to do a good job, so, of course, they also locked people out after five incorrect password guesses. So guess what my friend did?
Knowing human nature, he turned to the first of his LinkedIn-collected employees and via the company’s browser-based access to Outlook he typed in firstname.lastname@example.org with a password of “Autumn2018.” No luck. So he proceeded to the next employee and entered email@example.com with a password of “Autumn2018.”
(See how that works. You have to change your password four times a year: Winter2018, Summer2018, etc. — easy to remember, 10 characters, a capital letter, a number, etc. “We have met the enemy …”)
After trying 100 employee emails with the password “Autumn2018,” he had accessed the email of four Company B employees!
The next step was to begin doing strategic searches through the employees’ email. Before long he found a conversation revealing the existence of a legacy VPN site that didn’t require Multi-factor Authentication. In two shakes of a lamb’s tail he had inside access to Company B’s network. The rest of the story gets worse from there, but we’re focused on passwords here.
What can you do? Fortunately, the skills you develop in responsible password management will serve you just as well at home as they do at work.
Your employer probably requires several factors to be true of a password:
- They cannot contain more than four consecutive letters of any dictionary word.
- A password must include at least three out of four of the following characters: uppercase alpha, lowercase alpha, numeric and special characters.
- Passwords must be a minimum of eight characters.
- Passwords cannot be the same as the previous 24 passwords used for that account.
Need help creating good, satisfactory passwords? This article by lifehacker is very good. You will note that you basically need a Password Manager. I’m partial to Bitwarden, but there are also many other good ones.