But timesaving techniques can weaken cybersecurity. Omernik says, “You have people who think they have more knowledge than they do taking steps that they think are making them more efficient or more effective.
So please consider turning off your ad blocker for our site.
“A breach at one storefront where you use the same password that you did to log into your VPN makes it so now your (company’s) VPN is accessible,” Omernik says.
Share a password, share the blame
What you do need is to make the protocol and process a relatively mindless part of the daily routine. “That’s the single best way for people,” Omernik says, “because you remove the human stupidity and human laziness from the equation. Or, to put it another way, instead of stupid and lazy, let’s say it’s the best and the easiest, most efficient way.”
If you have a long or complex password, the potential for keying it in wrong and then pulling your hair out trying to correct your mistake is its own reward. The way forward is to achieve the higher purpose of authentication—secure ways to prove to your computer system that you are who you say you are.
Some may be reluctant to make their face or fingerprint part of the cybersecurity solution. The potential of AI and data mining can inspire paranoia.
“Those password safes have a master password. And that’s ideally the situation for you to put in a longer password, maybe a password that you can remember, but it’s much harder to crack—something like ‘To be or not to be, that is the question.’ You have spaces, uppercase, lowercase, you have a period at the end. That’s a decent password because it’s pretty long and pretty easy to remember. Not saying everyone should have that one. But I think you can go far with phrases that are easy to type in and remember.”
Still, humans will be humans
“You should never have shared passwords. And it shouldn’t have the site name in it. Let’s say your dog is named Snickerdoodle, and you use Snickerdoodle in your password on every site. You say, ‘I’m going to make this unique, so I’m going to use snickerdoodle_nike.com, I’m going to use Amazon_snickerdoodle, or uber_snickerdoodle….’ No, no, no. That’s not right. It has to be random and unique.”
“Yeah, I can use phishing tests, see if they click on a link and put their password in. But that’s not a systematic way to handle it. Maybe you increase awareness for a small time frame until the next test.
Don’t make a personal password personal. Omernik advises against using words that are part of your identity, like your kids’ names or the name of a pet—things easily found elsewhere, like on Instagram or a Facebook post. Along the same lines, don’t answer those nostalgic questions you see in social media, such as where you were on 9/11, your first car, etc.—they’re information-gathering tools.
It’s a better bet to give employees a policy and procedures they can easily execute. Omernik says, “If your environment is giving them the best way to do their job, the day-to-day stuff that they do to take their paycheck home, and it includes the most secure ways because you’ve built it into what they’re doing, then the idea of incentives or disincentives is off the table. You don’t even need that.”
Keep it simple, stupid, and you can be more confident that everyone is following the rules—not looking for shortcuts.
Omernik says, “If I’m on a corporate network, and you’re on a corporate network, and we both share an account to log into a network—maybe you work sometime in the morning, and I work in the afternoon—we’re doing stuff but there’s no accountability of who took the action on the computer. Maybe I delete a file, and then someone asks, ‘John, why did you delete this file?’ and I say, ‘I didn’t do it; maybe it was Mark. We both share a password.’ There’s no accountability in that situation.
“One of the biggest issues people have is a perception lag. They see their face being used right now, but they don’t see where all of their different passwords at every single website could be compromised by a single person and then used without their knowledge. The risk we can see seems more dangerous than the risk we can’t see. But in a digital space, a lot of the risks are risks we can’t see.”
“I get that,” Omernik says. “But at the end of the day, what’s the alternative? Go back to the passwords and get compromised that way?
Our PROMISE: Quality Digest only displays static ads that never overlay or cover up content. They never get in your way. They are there for you to read, or not.
“You know, I love humans, we’re awesome, but as I like to tell my kids, human beings can be incredibly dumb and incredibly lazy. Yet we assume we are smarter than we are. People think, ‘I can never be compromised. I’m smart. This will never happen to me.’ But the amount we can know as individuals is very limited.
“We now have all your passwords.”—“Oh! Thank goodness! What are they?” Image: Shepherd’s Bush by Bob May on Flickr.
Use a password manager
Again, password commonality increases the risk that one could provide the key to several others. The solution is simple: Don’t share passwords.
Let’s just leave Fluffy and Fido out of this
Some companies take a fire-drill approach by sending the entire enterprise an email with a spurious link to see how many employees will ignore corporate policy and click on the link. But Omernik sees that as ineffective and short-sighted.
I can attest to that. Though laziness may be a root inspiration, figuring out how to do work more easily is something I prefer to call efficiency.
Dictating difficult procedures to employees will produce predictable results, Omernik says.
However, someone has to pay for this content. And that’s where advertising comes in. Most people consider ads a nuisance, but they do serve a useful function besides allowing media companies to stay afloat. They keep you aware of new products and services relevant to your industry. All ads in Quality Digest apply directly to products and services that most of our readers need. You won’t see automobile or health supplement ads.
That’s where people like Omernik go to work. “The onus is on us to develop systems that achieve authentication in an accurate way,” he says. “That’s the quality component here. We need to do this well. Otherwise, we’re putting everybody at risk.”
“It’s not so much about the risk of the password being cracked, but that that password could be compromised,” Omernik says. Your company might be fine, but if you used the same password elsewhere, and that site was compromised, it could mean big trouble for all your accounts.
Without raising false alarms, it’s fair to say that password insecurity is a problem that lives near you and is worthy of your attention.
How bad can it get? The most commonly used password is “123456.” What could go wrong? It takes less than a second for a hacking tool to crack the most common passwords—that’s what. And it’s not getting better: 65% more passwords were compromised in 2022 than in 2020.
Omernik strongly recommends using a password manager like 1Password or LastPass (and there are several others). He says, “Try to find a password manager where every time you create a password it’s unique to only that website. Those tools actually have buttons where when you set up a new password for, say, Nike.com, you go to Nike.com and the manager generates a completely random password and stores it in a password safe.
Thanks,
Quality Digest
منبع: https://www.qualitydigest.com/inside/management-article/password-protocol-made-easy-010924.html
LastPass notes that the average employee starts with 20 credentials in their password vault and doubles that total after only three months. Instituting effective password policies and procedures can make workers’ lives easier and your company’s operation more secure.
Omernik says, “In general, people think, ‘I’ll just make it a policy that people have to do X.’ No, if you want people to do X, you have to make it so people want to do it, feel like they need to do it.”
“So, how do you find the right balance? Or do you try to hop off the continuum and say maybe passwords aren’t the right approach, maybe we need biometrics or a different approach for things that we want to have a quality representation of authentication.”
“You can enforce it, even punish the people who make mistakes, but if they don’t have a good password, practice good password hygiene—and they’re compromising your whole network—do you think that policy is going to protect you? Maybe from some legal stuff, but the cost is going to be great to your organization.”