Password's rotten core not complexity but reuse

Password's rotten core not complexity but reuse

Summary: SANS Institute's list of the top 7 human risks in computing includes phishing, passwords, and devices.

TOPICS: Security

It's not how sophisticated one makes their password, but how many variations they have — or don't have — that make them security risks.

In his look at the top seven human risks associated with computing, Lance Spitzner, director of the "Securing The Human" program at the SANS Institute, listed password reuse as number two on the list.

"With passwords, the surprise we found was not password complexity, but was people using the same password for several different accounts," said Spitzner. "Once the bad guys got it, it was very simple to move around [the network]."

Online password reuse also makes it easy for hackers to use one stolen credential at many sites, which is what happened to Best Buy customers last year.

The reuse issue is the reason hacked companies tell people to change their passwords not only on the hacked site, but on other sites they visit. This is especially true now that hackers routinely post stolen user names and passwords online, which can mean that multiple accounts get compromised months or even years beyond the initial password theft.

Spitzner said risk happens as soon as humans touch keyboards.

"People are no more than another OS — the human OS — and we have done nothing to secure this OS," he said. "All the services are on by default and this OS is happy to share."

But Spitzner was not calling people out as "stupid or un-trainable"; he said the issue is that we've done nothing to change our behavior.

"People underestimate risk, they go to websites, they download files, they insert USB sticks," he said.

His list of the seven top human risks are:

  • Phishing

  • Password reuse across sites

  • Not patching or updating devices (BYOD)

  • Indiscriminate use of mobile media

  • Sharing too much personal/work information on social networking sites

  • Lack of situational awareness

  • Accidental disclosure/loss of information.

Spitzner said that most organizations suffer from a subset of this list. In his position at SANS, he instructs companies to do a risk analysis and then focus on their top risks.

"Don't overwhelm people with all of these," he said. "Teach the fewest topics that have the greatest impact."

One technique Spitzner suggested is creating training modules that can be reused over time to keep the training fresh in people's minds. And create content people can consume on their own time, he said.

"A key thing I have learned is not what you teach, but how," he said. "Don't focus on how awareness affects the corporation, focus on how it affects people at home. Then security becomes part of their DNA."

To listen to Spitzner's entire webcast, Mitigating the top Human Risks, click here.

Topic: Security


John Fontana is a journalist focusing on authentication, identity, privacy and security issues. Currently, he is the Identity Evangelist for strong authentication vendor Yubico, where he also blogs about industry issues and standards work, including the FIDO Alliance.

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • I'm sorry - but this is a kinder, gentler form of blaming the victim

    There's more than one kind of complexity... In this case, I think you're conflating complexity of a password with complexity of managing passwords.

    If I have one password and it's "wekvo2i34r03984340YUYBUY^&&&^", yes, that's complex - but if it's the only one I have to remember, I can probably handle it.

    If I have one HUNDRED different passwords and they're all like that - forget it. Most people just can't manage that many bits of information.

    The problem here is that you're thinking 'security' not 'people' and people in general honestly don't care about security - they care about getting things done. Anything that gets between them and the outcome they want is tolerated at first, then shoved out of the way. This is the core issue with how security people (and especially IT people) screw it up.

    Your "we just have to educate them about risks" approach will work if the end user perceives what they are protecting as valuable - or if they're obligated by their work arrangements (maybe) - but as an example - my father rails at having to remember the password for his Apple iTunes account to download free apps.

    And he's right - why should he have to remember that? (Android, for example doesn't...)

    I've tried to explain to him that the password is there to prevent people from buying apps, music and movies on his credit card. Surprisingly, he just didn't care. I think he's more typical than not... I know I don't like having to manage a ton of passwords - and I used to work for RSA.. I think I have a pretty good idea of what the security risks are.

    What's needed is something to replace passwords entirely. Something you don't need to remember or record... something that's two factor in as gentle a way as possible.

    Otherwise this is always going to be like Charmin toilet paper trying to convince people it's fun to go to the bathroom (seriously - that's an actual advert campaign...).
    • Blaming the user is relevant when...

      "Surprisingly, he just didn't care."

      I don't disagree that passwords aren't exactly user friendly in this day and age, but they are still by far the most common means of authentication. Unless you live under a rock, you're aware of the risks on some level. It really doesn't matter if you blame the victim or not, the bottom line is there is a victim, and that victim is going to have to deal with the mess. So you have two choices, ignore the risks and accept the fact of increased exposure and even likelihood you'll be hacked, or take a little personal responsibility to mitigate the risks.

      And, those same people that bemoan having to remember/enter a password are probably the same people that will join a class action lawsuit because little Johnny bought $400 worth of games music and movies when Dad gave him his iPhone to keep him busy on the trip to grandma's house.
  • password re-use would be less of a problem

    if companies did a better job protecting them. The fact that so many companies store unsalted, or even unhashed, passwords is just dumb. I know that hacking a company's user database is only one attack vector, but that it's open at all is just sad.
    • Keep IDs and Passwords on DIFFERENT SERVERS

      Keep IDs and Passwords on DIFFERENT SERVERS, duhhhhhhh
      William Donelson
  • Say what?

    I love the newest alert on ZDNet "Your comment contains profanities and will not appear on the site until it has been checked by a moderator.".

    Considering my post contained no profanities I could find.
    This site continues to amaze me.
    • Perhaps you have keyboard Tourette's syndrome.

      Just a thought.
  • Blame the user for security failures!

    Just how many complex passwords am I supposed to have? How many am I supposed to remember? Am I supposed to write them all down - which is poor security to begin with?

    Don't blame ME because YOUR company had poor security and was hacked!
    • Password manager

      Download, install, and USE a good password manager. There are several good ones out there - many are free.

      Until I went this route, I used the same few passwords at many different sites. Now, when I sign up for a new site I let the password manager generate a random password. In many cases, I don't even know what the password is.

      A random password of decent length will be almost impossible to crack.
  • User Security

    I teach people to use a password manager and generate a random password for each site. Then on important sites like their bank or email at irregular intervals change the password. Also, since they are using a password manager I tell use very long passwords - 32+ characters. When a site they use has break-in they only have one password to change.

    Users must be responsible for their part of the problem - reuse.
  • passwords

    I have 5 rotating passwords I use on maybe 15 different accounts and sites. I frequently lose track of the current one for what account. I could make 2 more complicated passwords instead but if someone got ahold of it they’d get more data from more areas.