Password's rotten core not complexity but reuse

Summary:SANS Institute's list of the top 7 human risks in computing includes phishing, passwords, and devices.

It's not how sophisticated one makes their password, but how many variations they have — or don't have — that make them security risks.

In his look at the top seven human risks associated with computing, Lance Spitzner, director of the "Securing The Human" program at the SANS Institute, listed password reuse as number two on the list.

"With passwords, the surprise we found was not password complexity, but was people using the same password for several different accounts," said Spitzner. "Once the bad guys got it, it was very simple to move around [the network]."

Online password reuse also makes it easy for hackers to use one stolen credential at many sites, which is what happened to Best Buy customers last year.

The reuse issue is the reason hacked companies tell people to change their passwords not only on the hacked site, but on other sites they visit. This is especially true now that hackers routinely post stolen user names and passwords online, which can mean that multiple accounts get compromised months or even years beyond the initial password theft.

Spitzner said risk happens as soon as humans touch keyboards.

"People are no more than another OS — the human OS — and we have done nothing to secure this OS," he said. "All the services are on by default and this OS is happy to share."

But Spitzner was not calling people out as "stupid or un-trainable"; he said the issue is that we've done nothing to change our behavior.

"People underestimate risk, they go to websites, they download files, they insert USB sticks," he said.

His list of the seven top human risks are:

  • Phishing

  • Password reuse across sites

  • Not patching or updating devices (BYOD)

  • Indiscriminate use of mobile media

  • Sharing too much personal/work information on social networking sites

  • Lack of situational awareness

  • Accidental disclosure/loss of information.

Spitzner said that most organizations suffer from a subset of this list. In his position at SANS, he instructs companies to do a risk analysis and then focus on their top risks.

"Don't overwhelm people with all of these," he said. "Teach the fewest topics that have the greatest impact."

One technique Spitzner suggested is creating training modules that can be reused over time to keep the training fresh in people's minds. And create content people can consume on their own time, he said.

"A key thing I have learned is not what you teach, but how," he said. "Don't focus on how awareness affects the corporation, focus on how it affects people at home. Then security becomes part of their DNA."

To listen to Spitzner's entire webcast, Mitigating the top Human Risks, click here.

Topics: Security

About

John Fontana is a journalist focusing on access control, identity, privacy and security issues. Currently, he is the Identity Evangelist for strong authentication vendor Yubico, where he writes and edits a blog, as well as, directs several social media channels and represents Yubico at the FIDO Alliance. Prior to Yubico, John spent five y... Full Bio

zdnet_core.socialButton.googleLabel Contact Disclosure

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Related Stories

The best of ZDNet, delivered

You have been successfully signed up. To sign up for more newsletters or to manage your account, visit the Newsletter Subscription Center.
Subscription failed.