In the past few months, we heard over and over how big corporations such as Sony and Anthem have been hacked and customer information stolen. It’s not just information for one or two folks but thousands, even millions. And you know what? This happened regardless of what YOUR personal password was! In fact, what I’m going to suggest is that whenever someone with whom you have an account asks to keep changing your password “for security reasons,” you should change it to “Bullshit!”
Hackers are not interested in my password for the Speech Dudes site. They really are not. Any hackers who are going to spend hours and hours trying to break into this account so as to upload a picture of a skull-and-crossbones and say “Yah boo sucks, Dudes, you’ve been hacked” are one card short of a deck; two fries short of a Happy Meal; three sandwiches short of a picnic. Their lights are on but no-one’s home; their elevator doesn’t go to the top floor; and their cheese has slid so far off the cracker that their collective intelligence can only be matched by that of a shed-load of broken garden tools.
Just last week I wanted to check my recent health insurance bills from United Medical Resources (UMR) only to find that before I could, I have to change my password “for security reasons.” Fair enough – except that this is the third time in a year I’ve had to do it. And what’s more, I can’t use ANY of the past 10 passwords I’ve used, which means I have to invent new ones every time.
This “you cannot use any of your previous 10 passwords” is also an irritation because it (a) forces me to create yet more mindless character strings than I need to remember and (b) tells me that the Grand Keeper of the Passwords at UMR has a list of all my previous ones. “Someone” is tracking my passwords! And if “they” are keeping my passwords, and “they” are hacked, I’ve not just lost my current password to hackers but all my previous ones – which may in turn include ones that I am still using for other accounts.
Some sites have now introduced not just the password but some stupid picture that is supposed to help; by making you now remember both a password AND a picture! And hey, hey, hey, it’s not just pictures: my friend Kara has an account where they also include what they call a “personal security phrase,” which in her case was “devoted corn.” Devoted Corn! I’d love to stuff that devoted corn down the throat of the person who came up with that idea!!! So now she has to remember her password, “devoted corn,” and her “personal image.”
All I can take from this madness is that I bet the sale and use of sticky notes has gone up significantly over the past five years because let’s get real and acknowledge what people actually do with regard to passwords:
They make a list.
Sure, you might have a list that you store in an encrypted format using a piece of software (presumably written by the folks who have developed these password/image/personal-phrase systems) but you’re still making a list. And when folks like UMR and Apple stop you using previous passwords, you can’t even have the option to have just one “open sesame” for all your accounts. Apparently that’s a bad thing. But that didn’t help all the folks who had accounts in 2014 with Sony, Target, Anthem, Neiman Marcus, AT&T, eBay, PF Chang’s…
It’s the hacking of all those big, international corporations that points to where the real danger lies. It’s not from some guy in Russia [1] trying to get MY personal password for Chase Bank, but from some guy in Russia trying to get ALL the passwords for Chase Bank at a corporate level. The personal password might make me feel safe but the evidence is that I’m no safer having the word “password” for all my accounts than someone who has “XX345Xbbg$3iOO” and anagrams thereof for every single account they use. During my recent trip the ATIA 2015 conference at the Caribe Royale Hotel in Orlando, Florida, myself and a number of other colleagues had their credit card numbers stolen, with all evidence pointing to someone having access to the desk at the on site Cafe (the only place where we all used a card). No passwords were involved, just the opportunity for someone to see numbers in a hotel system [2], and opportunist theft is something that can happen to anyone.
“But the Emperor has no clothes!”
The danger I face from having “Captain Danger” as my one and only password for all my accounts is not that some hacker will work it out. The danger is from having an account in the first place with a company whose security system is lacking. If they employ highly paid so-called “security experts” whose answer to breaches is to tell all their customers to change their passwords, I suggest they recognize them for what they are – Naked Emperors. Get them to do their job and make the system secure or sack ’em and employ some East European hacker to bolster up your website and pay them with a subscription to XBox live for a year and a free download of Grand Theft Auto 6 – although there’s a good chance they’ll hack a pre-release freebie long before the product is released to paying customers.
I want three, maybe four, passwords for all my accounts. I want them to last forever. I want to be allowed (yes, it’s my choice, after all) to use whatever characters I want no matter how simple, stupid, or “obvious” some over-hyped security expert thinks it is. And I want my health insurance company (to whom I give lots of cash), my bank (to whom I give lots of cash), and my wireless phone company (to whom I give ever-increasing amounts of cash), to get their acts together and stop trying to blame me for being unable to handle passwords when they seem unable to protect their own systems.
Rant over. Let the flames begin!
Notes
[1] Before any Russian readers decide to hire a hacker to crash this blog because they think I’m being unkind to them, I use the example of Russian hackers because according to a 2013 article from the Gartner Group, it is “fairly well-known by most security professionals that the best hackers on the planet often originate from Russia.” Deutsche Telekom has a fascinating little site that tracks real-time hacks across the world (http://www.sicherheitstacho.eu) and during January 2015, China took first place by a wide margin, with the US taking silver, and Russia slipping down to a mere bronze. Another fascinating “live attack” site comes from the company Norse, and if they were to create a live wallpaper based on their http://map.ipviking.com map, I’d be using it!
[2] I’d be curious to hear if any other fellow attendees experienced card theft. I wrote to the hotel to alert them to the multiple thefts but heard nothing back – which may be expected because no-one wants to admit to having lax security.
The Speech Dudes 