Why we’ve decided to focus on passwords
We are all familiar with passwords. They are the most common security measure to protect our most crucial systems and accounts. Think of them as the front door to our most important online platforms.
The question remains, if we all utilise and understand the concept of passwords, why are they such a flawed means of security? According to Verizon’s 2022 Data Breach investigation Report (DBIR), 45% of data breaches involved compromised credentials (usernames, passwords etc.)
Well, for many years we’ve known the data behind data breaches, and how passwords are fundamental to them, but now we’ve done something we should have done a long time ago; We’ve carried out the research to see how passwords are actually used in organisations.
Our research - how passwords are actually used in organisations
We had around 20 conversations with organisations about their security and password experiences. The typical profile of the organisations were UK based, small (2-15 employees), purposeful organisations (missions linked to the United Nations Sustainable Development goals).
Here are some specific examples of passwords being used in organisations:
All company passwords being shared with all team members in a document
Sending passwords to team members via slack, email and WhatsApp
Lack of clarity on what systems previous team members & freelancers still have access to
An organisation getting locked out of online accounts weekly, as they can't remember which password or email they used
An org who tried using a password manager, but couldn't work out how to use it properly
One CEO told us: "I would pay for someone to come in and take care of our password problems"
The productivity angle
Alongside our own conversations, we found password surveys and research carried out by other organisations. Most of these were carried out by password manager companies, surprisingly, meaning they were run with a clear purpose of outlining why people needed to buy their product.
That said, if looked at objectively, the research still helps us understand the problem with passwords.
An interesting angle we kept coming across was passwords leading to a loss of productivity.
According to one study, Yubico found that on average respondents spend an average of 12.6 minutes each week or 10.9 hours per year entering and/or resetting passwords. If you love working out the lifetime impact of small calculations, that's 458 hours of our working lives (assuming we work for 42 years), or 19 days. Crazy, hey?
The hacker angle - why it’s a perfect storm
Cyber criminals have known about the flawed password system for many years.
Why would criminals spend time and money inventing new hacking tools when they can just log in to our accounts using already compromised passwords?
Thousands of companies have been breached already. Twitter, Facebook, LinkedIn, Canva are amongst a handful of breaches (here is a nice visual representation of the bigger data breaches).
Often, when a data breach occurs, the hackers post the data on the internet for all to see. If that data includes passwords, which it often does, other hackers are able to take the email and passwords and start using them to log into our other accounts. They build programs to do this systematically and automatically, meaning they only have to lift a finger when they get access to a new account using an old, compromised password.
When the first password system was designed in 1960 (yes passwords are that old!) it was never designed for scale. The average person simply can't remember so many long, strong and unique passwords for all the accounts we have. Research varies but most studies suggest we each have between 100 and 150 online accounts.
A common system is for people to remember 3 or 4 main passwords and cycle them around the various accounts they have. This isn’t an entirely flawed system, assuming the passwords are not too easy to guess. The issue is when the next data breach happens which includes your password. Assuming that you have 100 accounts, and use 4 passwords for all of them, complex maths tells us that one password gets hackers into 25 of your accounts.
Passwords are the “front door”
Despite our numerous issues with passwords it’s not to say they’re so flawed and we should stop using them. Besides not yet having another reliable alternative, it’s not the passwords themselves that are flawed but the way the user creates and manages them.
However, without a proper way to manage the compendium of passwords that any frequent online user will have, you’re either bound to forget or inclined to set an easy to remember password which translates to an easy to crack password. It’s like leaving your front door unlocked - it’s there but you’re not utilising it’s full potential.
As we mentioned, passwords are the front door to our most critical systems. Think emails, customer databases, payroll systems, bank accounts, websites, social media accounts. The list goes on.
And it doesn’t matter how small your organisation is. Password attacks are opportunistic and automated, rarely are they targeted.
So what are we doing?
After seeing both sides of the perfect storm, we decided to simplify our services and address what is a fundamental problem - password security. Organisations shouldn’t be spending money or time on complex cyber security practices if the front door, passwords, is unlocked.
Of course, not all organisations have less than ideal password systems in place. But for those who do, our number one recommendation is to sort that out before making any further investments in cyber security.
For those who do want to act, there are two good options:
Read and implement our recommendations on how to properly implement a password management system (an article we are currently working on)
Purchase our Secure Passwords Forever service (a service we just released)
Our secure passwords forever service
We have designed a service for your organisation to secure passwords forever. Through the implementation and training of a password manager, we are able to mitigate the common issues with passwords.
Our service will ensure you are equipped with strong, secure and unique passwords to give your accounts and systems crucial protection. Forget about having to remember 100s of passwords, instead you will be able to use 1 secure master password. Once you’ve been through our training service, your passwords won’t only be more secure, but the auto-fill process means you’ll never have to type or reset another password, saving you a huge proportion of those 458 hours.
If you would like to find out further information about our service, feel free to contact us here.