Why do we have such a hard time with passwords? Here’s the answer
Passwords have been with us in some form or another since the dawn of computing. Yet we’re only marginally better with them today
Memory remains something of a mystery. Neuroscientists everywhere are working to unlock the secrets of human memory, many of which continue to elude us. But one theory posits that we don’t usually remember our original memories – we remember the last time that we remembered them, like copies of copies of copies.
The nature of our digital lives necessitates that we create more complicated, unique combinations of letters, spaces, phrases, upper-case, lower-case, signs and symbols in order to access the services we rely on at home and at work. These are only growing: a recent study from LastPass shows 90% of people have as many as 50 online accounts. Given our time-pressed lives, is it any wonder that, even in 2022, the top five most common passwords leaked to the dark web were ‘123456’, ‘12345678’, ‘Qwerty’, ‘Password’, and ‘12345’?
Today, a single compromised account can easily create a disastrous domino effect where not only the original target suffers, but so do their contacts, suppliers, and everyone else in their wider network – in fact, recycled passwords are often the first point of entry into conducting a successful supply-chain attack. Financial and reputational damage can easily spiral out of control, and one stolen credential is all it might take.
In spite of their ubiquity – the password has, after all, been with us since the earliest days of computing – passwords remain a fundamental weak spot. Ultimately, they rely on end-user choice. Security teams can implement some measures, but they are limited in the guidance they can really enforce, or the technical guardrails they can install. Weak or recycled passwords are a case of human fallibility, and that’s unlikely to change provided humans remain fallible. Which we will.
Attackers are all too aware of these vulnerabilities in human psychology and so security teams need to be too. People haven’t evolved to memorise frequently changing generated passwords – it’s just not something that’s been a part of our evolutionary history.
So while it’s true that every user has a role to play in the safety of their organisation, it’s not possible or even desirable that everyone becomes a security-obsessed password expert. It’s up to organisations to implement safeguards, maintaining a balance between usability, security, and keeping the onus of responsibility away from weighing too heavily on the user.
But the idea that people are a ‘weak link’ in security is perhaps an unfair misnomer. People are people, and as such, systems should be built around their blind spots, patterns, or bad habits to help guard against them. That’s why it’s so important to understand the psychology at play.
“As humans, we have finite cognitive resources that we use to navigate our everyday lives,” explains chartered psychologist and professor of psychology at Bournemouth University, John McAlaney. “Workplaces can be very intense, requiring us to pay attention to multiple things at once – we are continually in a state of having to prioritise.”
Picture being on a drive and spotting flashing lights in your rearview mirror. It’s an emergency vehicle, and you reflexively prepare to move aside – a quick, impulsive decision, but the correct one. These intuitive reflexes are often a strength, but they can be a weakness too: “Sometimes making a quick decision based on limited information will result in an incorrect decision,” says McAlaney, “and this could be the case with password safety.”
If an individual is juggling a lot of tasks, they may not prioritise security. This “doesn’t mean they don’t understand its importance or are being lazy,” McAlaney adds, “it’s often just the case people feel they have many other tasks that need to be done with limited resources.”
Bolting the ‘digital doors’
Fortunately, there are both technical and cultural initiatives that organisations can take to make our digital lives a little more secure. In our homes, it only takes an intruder one entry point to pry open access everywhere. In the digital world, the same is true, but at a far larger scale: one set of stolen credentials could leave your whole organisation’s network open for attack.
With good reason, it’s socialised into us to lock the doors and windows when we leave our homes. A single pin tumbler lock is worryingly simple for any would-be intruders to pick, and that’s why most homes reinforce front and back doors with more secure systems like deadbolts. A simple plaintext password is the digital equivalent of that pin tumbler. It’s a deterrent, but easily cracked.
But deadlier still are default passwords. Internet-connected devices on your network, including routers or CCTV systems, will often ship with default passwords enabled. Leaving these in place means you’re “basically leaving your keys in the door,” says professor of cyber security at Ulster University, Kevin Curran. “There are search engines like Shodan which crawl the web for connected Internet of Things devices, and hackers will try defaults on all of them.”
The number one rule, then, is to use different passwords – all the time, everywhere. “One should have a reputable password manager which will create complex, strong passwords,” Curran comments. These are then stored in an encrypted vault. “You then only need to remember one master password, and the password manager will automatically take care of logging you into different sites with secure passwords.”
However, password managers only work if individuals fully trust them to generate and safely store passwords – and users need to have them installed on every device they use to access their accounts, points out CIO of Endava, Helena Nimmo. LastPass’s business password manager, for example, protects all endpoints across the organisation, wherever employees work, with full control for IT over deployment and policies. Suggesting and managing unique, strong passwords, the secure manager reduces the number of passwords employees have to remember and, as such, helps mitigate poor password hygiene.
Organisations can improve password security by combining multiple approaches. Encouraging employees not to share passwords across personal and company accounts, and suggesting employees use sentences, for lengthier passwords, is a good start.
“Securing the password management process with multi-factor authentication, which relies on a PIN or biometrics, and making sure that passwords are changed regularly by everyone within the organisation, without exception, are also good practice,” says Nimmo.
Measures like these can fit into a ‘cybersecurity by design’ framework, says Curran, where security staff help to craft a set of pragmatic guidelines so that organisations can more completely consider the full remit of protections and processes that should be in place.
Businesses need to have a holistic understanding of cybersecurity as an organisation-wide risk, along with all their legal and regulatory implications, and password awareness is part of this. Organisations should train staff, identify which risks to avoid, accept, and mitigate, and communicate business-wide policy to senior management.
However, even with training, it can often take people to make a mistake themselves before they learn. Security teams could consider sending phishing emails containing fake malware to employees, which, when activated, educate them on their mistakes.
Culturally, employees take their cues from leadership, adds McAlaney, so if they feel senior management are only paying lip service to security, staff are less likely to invest in the topic themselves. Leadership need to practice what they preach as well as training staff.
Increasing knowledge doesn’t necessarily lead to behaviour change, and this is where a lot of education initiatives fall down: merely having employees sit through a seminar or online course is not necessarily going to make anyone behave more securely. Knowledge helps, but it doesn’t definitively translate into action.
“Instead, you need to understand what barriers are preventing the employees from changing their behaviour, such as the conflict between the need for security versus the pressure to be productive,” says McAlaney.
“If an organisation finds half their staff did not change passwords after a breach, then the first step should be to open a genuine, non-judgemental, dialogue with employees to find out what’s stopping them from making these changes – then finding a way forward taking these issues into account.”
For more information, visit lastpass.com
Six tips to guard your ‘digital doors’
There’s no fool-proof way to protect any organisation, but keeping some principles in mind – from culture through to technology, implementation, and ongoing maintenance – can go a long way to help.
- Embed security in your culture. Create a culture where all levels of the organisation understand and value security, and where staff feel comfortable reporting mistakes. However, accept that raising awareness is not always enough to change behaviour, advises Bournemouth University’s John McAlaney. Businesses can hit a wall if they think security culture ends at training.
2. Be cyber smart. Phishing, smishing (text or SMS), and vishing (voice call) attacks are on the rise. Carefully review any messages you receive by double-checking the sender’s email address. Be on the lookout for poorly written email copy, and don’t blindly accept any MFA requests.
3. Set up your cybersecurity tools. Technology makes securing you and your data a lot easier. Implementing solutions like a password manager and multi-factor authentication (MFA) will secure your data and bolster best practices.
4. Update your software. Cyberattacks often target vulnerabilities in older applications. If you receive an alert from Apple, Microsoft, or Google about an urgent security update, install it right away. The same applies to smart home devices or other Internet of Things (IoT) gadgets.
5. Conduct an audit. Do you know where your data is? Is every piece of information protected? Have you shared any sensitive credentials? Try to map out where your data is, who might have access to your information, and take a digital headcount.
6. Trust your gut. If money or highly sensitive information (like your National Insurance number) is requested – and the sender needs it quickly – take a moment to assess the situation. Don’t be afraid to ask questions and get all the facts before pressing send.
or more information, visit lastpass.com
Promoted by LastPass