A few days ago, a news story broke saying that many of the UK’s political leaders have been publicly (and almost proudly) proclaiming their own particularly poor passwords habits on Twitter.
MP Nadine Dorries admits she regularly shouts the question “What is my password?” across the office, and after her being criticised on Twitter, MP Nick Boles defended her by agreeing with a journalist that password sharing is rife among MPs.
Security experts have been quick to criticise these practices in the media, and most of them are saying exactly the same thing they’ve been saying for years now: Independent IT security expert Graham Cluley said: “The first rule of passwords is that you don’t share them.” Chief scientist at McAfee Raj Samani said: “It is clear that better cyber-education policy is needed in government.” Prominent security blogger Troy Hunt also blamed the lack of education: “This illustrates a fundamental lack of privacy and security education.”
As much as it’s easy to poke holes in politicians’ hapless knowledge of IT security, the truth is that most employees within the business world share passwords too. Previous IS Decisions research found that 49% of employees share passwords — and the percentage increases (to 66%) for younger generations who haven’t been working long enough to face the consequences.
Clearly, nobody is listening to the security experts
But have we stopped for a second to consider maybe if nobody is taking the advice of the professionals, maybe the advice itself is flawed?
As IT security experts, we try extremely hard to push people down one way of thinking. “Don’t share passwords”, we say. “Don’t re-use passwords across multiple applications”, we add. But what many of us forget is the cost to the user of adhering to each of those pieces of advice.
Let’s analyse the first piece of advice: “Don’t share passwords”. This is now just the world we live in. These days, to most people, the convenience of accessing data quickly is more important than securing data. Yes, there’s an education piece to be done there by security advisors around the dangers of password sharing, but in the hustle and bustle of everyday work, where employees barely feel like they get five minutes to sit and breathe, it’s no wonder they cut corners to get the job done. To them, getting the job done is far more important than considering the minute risk they may pose to their business or their data by cutting the odd corner — especially if they share passwords with just a trusted group of people.
Now let’s analyse the second piece of advice: “Don’t re-use passwords”. What, so we expect people to remember tens of unique passwords, each containing a mix of uppercase characters, lowercase characters, numbers and symbols? Employees manage around 27 unique passwords — that advice is simply not practical.
It’s at this point that most people start to ignore the advice of cybersecurity advisors. They don’t believe the danger is real, and the advice is not practical modern digital world anyway. It’s a bit like children ignoring what they see as their overprotective mother who doesn’t understand the real world. And that’s when breaches happen. And we get to say, “we told you so” and “education is key”. And “get down off that stool, it’s dangerous.”
But what about a different way of protecting data?
A way that just accepts that password sharing and re-use happens, but mitigates the threat if passwords fall into the wrong hands? By taking steps to put policy, controls, and monitoring in place, you can minimize – if not completely stop – password sharing, and reduce the risk of a security breach.
And that’s exactly what our flagship product UserLock does. It protects logins and renders access to data virtually impossible except for the genuine owner of the password.
How does UserLock achieve this? UserLock works by analysing contextual information surrounding any login attempt, such as the login time, the geographical location, the device, the IP address and other contextual factors. Based on that information, IT administrators can set rules that restrict logins to only those that don’t look suspicious. For example, if the login details of an employee falls into the hands of an attacker, the system can deny access because the login attempt is happening outside of the agreed context (geography, time, machine or device etc…) — even if the attacker is using the right username and password.
This kind of security is much more convenient than using, say multi-factor authentication, which halts employees in their tracks whenever they try to access something. It enables employees to access data quickly and conveniently using just their login credentials — and contain password sharing in a controlled environment, all while providing the highest level of security to the business. Now there’s no compromise between convenience and security, which is what the world has been yearning for for years.
At IS Decisions, we understand the dangers of password sharing and password re-use, but we also accept that employees aren’t going to change their habits in a hurry — no matter how much you try to scare them into doing so. We live in a world where convenience and simplicity is so important, and the advice the industry has been giving doesn’t always support the way workers want to get on with their job. I believe that the reason people behave in this way is down to a failure of the IT security industry to provide a convenient way to authenticate and authorize users, rather than the failure of the users themselves. The industry has been touting the same “education” message for the past 10 years, and quite frankly, if it’s not worked by now, it’s never going to work — especially for politicians.