Password's rotten core not complexity but reuse
Summary: SANS Institute's list of the top 7 human risks in computing includes phishing, passwords, and devices.
It's not how sophisticated one makes their password, but how many variations they have — or don't have — that make them security risks.
In his look at the top seven human risks associated with computing, Lance Spitzner, director of the "Securing The Human" program at the SANS Institute, listed password reuse as number two on the list.
"With passwords, the surprise we found was not password complexity, but was people using the same password for several different accounts," said Spitzner. "Once the bad guys got it, it was very simple to move around [the network]."
Online password reuse also makes it easy for hackers to use one stolen credential at many sites, which is what happened to Best Buy customers last year.
The reuse issue is the reason hacked companies tell people to change their passwords not only on the hacked site, but on other sites they visit. This is especially true now that hackers routinely post stolen user names and passwords online, which can mean that multiple accounts get compromised months or even years beyond the initial password theft.
Spitzner said risk happens as soon as humans touch keyboards.
"People are no more than another OS — the human OS — and we have done nothing to secure this OS," he said. "All the services are on by default and this OS is happy to share."
But Spitzner was not calling people out as "stupid or un-trainable"; he said the issue is that we've done nothing to change our behavior.
"People underestimate risk, they go to websites, they download files, they insert USB sticks," he said.
His list of the seven top human risks are:
Phishing
Password reuse across sites
Not patching or updating devices (BYOD)
Indiscriminate use of mobile media
Sharing too much personal/work information on social networking sites
Lack of situational awareness
Accidental disclosure/loss of information.
Spitzner said that most organizations suffer from a subset of this list. In his position at SANS, he instructs companies to do a risk analysis and then focus on their top risks.
"Don't overwhelm people with all of these," he said. "Teach the fewest topics that have the greatest impact."
One technique Spitzner suggested is creating training modules that can be reused over time to keep the training fresh in people's minds. And create content people can consume on their own time, he said.
"A key thing I have learned is not what you teach, but how," he said. "Don't focus on how awareness affects the corporation, focus on how it affects people at home. Then security becomes part of their DNA."
To listen to Spitzner's entire webcast, Mitigating the top Human Risks, click here.
Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.
Talkback
I'm sorry - but this is a kinder, gentler form of blaming the victim
If I have one password and it's "wekvo2i34r03984340YUYBUY^&&&^", yes, that's complex - but if it's the only one I have to remember, I can probably handle it.
If I have one HUNDRED different passwords and they're all like that - forget it. Most people just can't manage that many bits of information.
The problem here is that you're thinking 'security' not 'people' and people in general honestly don't care about security - they care about getting things done. Anything that gets between them and the outcome they want is tolerated at first, then shoved out of the way. This is the core issue with how security people (and especially IT people) screw it up.
Your "we just have to educate them about risks" approach will work if the end user perceives what they are protecting as valuable - or if they're obligated by their work arrangements (maybe) - but as an example - my father rails at having to remember the password for his Apple iTunes account to download free apps.
And he's right - why should he have to remember that? (Android, for example doesn't...)
I've tried to explain to him that the password is there to prevent people from buying apps, music and movies on his credit card. Surprisingly, he just didn't care. I think he's more typical than not... I know I don't like having to manage a ton of passwords - and I used to work for RSA.. I think I have a pretty good idea of what the security risks are.
What's needed is something to replace passwords entirely. Something you don't need to remember or record... something that's two factor in as gentle a way as possible.
Otherwise this is always going to be like Charmin toilet paper trying to convince people it's fun to go to the bathroom (seriously - that's an actual advert campaign...).
Blaming the user is relevant when...
I don't disagree that passwords aren't exactly user friendly in this day and age, but they are still by far the most common means of authentication. Unless you live under a rock, you're aware of the risks on some level. It really doesn't matter if you blame the victim or not, the bottom line is there is a victim, and that victim is going to have to deal with the mess. So you have two choices, ignore the risks and accept the fact of increased exposure and even likelihood you'll be hacked, or take a little personal responsibility to mitigate the risks.
And, those same people that bemoan having to remember/enter a password are probably the same people that will join a class action lawsuit because little Johnny bought $400 worth of games music and movies when Dad gave him his iPhone to keep him busy on the trip to grandma's house.
password re-use would be less of a problem
Keep IDs and Passwords on DIFFERENT SERVERS
Say what?
Considering my post contained no profanities I could find.
This site continues to amaze me.
Perhaps you have keyboard Tourette's syndrome.
Blame the user for security failures!
Don't blame ME because YOUR company had poor security and was hacked!
Password manager
Until I went this route, I used the same few passwords at many different sites. Now, when I sign up for a new site I let the password manager generate a random password. In many cases, I don't even know what the password is.
A random password of decent length will be almost impossible to crack.