Beach guy - Why aren't passwords good enough? (part 1 of a 3-part series)

Today the average American spends 24 hours a week online. Either on their mobile devices like phones and iPads or on their laptops.  With online activity skyrocketing it’s no wonder that digital accounts have become a major target for criminals.  For individual’s, identity theft can be devastating and extremely costly. Once the criminals have your stolen credentials, it leads to fake credit cards and spending sprees that can damage your credit ratings and worse yet, can drain your bank accounts.  One study showed that in 2016, over $16 billion was taken from 15.4 million U.S. consumers.  And identity thieves have stolen over $107 billion in the past 6 years.

All this begs the question, why isn’t my password good enough to protect me?  Passwords have been the standard means of protecting our accounts since around 1961.  And even though it didn’t take very long for people to figure out how to hack passwords, not much has changed in the past 58 years.  While using passwords is better than not having any protection at all, there are still issues:

  • We have poor memories. To compensate we create surprisingly simple passwords.  One report looked at over 1.4 billion stolen passwords and found that a large number were extremely simple; “111111”, “123456” and “password” are just a few examples.
  • We have way too many passwords to remember. As online activity increases, so do the number of passwords we have to remember.  In fact, a 2015 analysis of over 20,000 users by password management company Dashlane, found that the average person had over 90 online accounts.
  • With so many companies being breached, fatigue sets in and many people just give up. Many consumers do try to protect themselves with complex passwords and passphrases, but as the number of corporate breaches increase, and personal information is stolen, fatigue sets in and old habits take over.  Leading many to fall back to weak passwords and shared passwords across multiple accounts.

A study by Virginia Tech’s Computer Science Department, that looked at 28.8 million users and their 61.5 million passwords over 8 years found:

  • 52% of users reused or only slightly modified passwords
  • 38% of the 28.8 million users had used the same password for two different services
  • Shopping and email sites, among the more sensitive online services, “received the most reused and modified passwords.” Shopping had the highest ratio (> 85%) with email in second place (> 62%)
  • More than 70% of users continued to use the same leaked password more than a year after a data breach.
  • “Password modification patterns are highly consistent across various user populations, allowing attackers to quickly guess a large number of passwords with minimal training.”

It is also important to understand that simple things can help.  For instance, using only a four-digit pass-code means there are only 10,000 possible combinations.  Adding number and letters takes the combinations to 1,679,616.  Make the characters case sensitive and you are up to over 14 million combinations.  Make it 10 case sensitive characters and numbers, and you are up to 839,299,365,868,340,000 possible combinations.  But even this doesn’t eliminate all the problems mentioned above.

So, what can we do?  In Part II, of this series I will take a look at solutions for both individuals and business alike.

To learn how to improve your password policies and protect your business credentials look to  IT professionals that understand cyber security and have the tools and know-how to help keep your business secure.