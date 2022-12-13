A recent study on password use and cybersecurity has found the same as many previous studies: that people are still using the likes of “012345678”, “password” or “qwerty123”. The difference between this study and others is not in its conclusions, but in its target audience: this time, the authors of the study limited the sample, instead of users in general, to company executives.

Why would a manager, who is supposed to have a minimum of training and responsibility, use a password so simple that a small child, never mind a criminal, could work it out in a matter of seconds?

The question is important, given that cyber-attacks against businesses are now becoming the norm. Criminals scour lists of companies of all sizes looking for victims, and then tailor the ransom demand based on their turnover. By accessing a username, easily worked out from the name of a manager, and then guessing a password, the criminals are in and can then do what they want.

There are, of course, more sophisticated approaches, but often enough, it’s that easy. Why? Because there are still idiots out there who use “12345678” or “password” or “qwerty123” as their password, and whose sacking would be perfectly justified. The same as an employee who left the lights, on, failed to lock up the premises and didn’t set the alarm.

Insurers are increasingly worried about the issue: businesses are demanding more and more protection, even when they are not even taking the most basic steps to protect themselves from cyberattacks.

In response, insurers are raising their rates to try to cover themselves against more frequent and larger claims. But obviously, that’s not the solution.

Soon, we will start to see insurers simply refusing to insure companies that have not passed the external penetration tests carried out by companies like HackerOne, who employ hackers from all over the world to try to find vulnerabilities in their clients.

Sadly, most companies are still in the prehistory of security, and continue to ask their employees to change their password every few years, to choose one that contains all sorts of strange characters, or that is simply different to previous ones.

Do these companies understand what they are asking of their employees? If you tell somebody to create a complex password and to change it every few years, what are they most likely to do?

At best, to look for basic mnemonic rules to remember it. At worst, write it down on a post-it and stick it on the screen… or simply set the easiest password to remember that comes to mind.

Any password we can remember is a bad password; the solution is to use a password manager, ideally, with a corporate license.

That way, responsibility for maintaining and changing passwords shifts from employees to the company, and can be done more professionally (and that need exists, because periodically, a password appears in an information dump and there are services that warn us about it).

Password managers are very easy to use: employees simply have to periodically enter a request in their app to change it. Gone are the days of having to remember passwords!

Companies that take IT security seriously are retiring passwords and replacing them with a combination of biometrics and dual key authorization. After authentication on a new device or environment, you receive a key in an authentication app on your smartphone, and you must enter that as well.

Using a two-factor authentication app is so simple and unobtrusive that we should use them for all minimally critical services.

In this day and age, and with cybercriminal groups looking for victims, developing a culture of cybersecurity is more important than ever.

Sadly, many companies still don’t take cybersecurity seriously, and instead hassle their employees with stupid requests that serve no purpose, or even reduce security levels. It is time to rethink these practices, and above all, to educate people on the importance of the subject, reaching the entire organization: from the CEO to the last employee.

This post was previously published on Enrique Dans' blog.

