Saturday, August 11, 2018

Keys to the Kingdom

To a certain extent, all this focus on cybersecurity is focused in the wrong place. Yes, the perpetrators are numerous and dangerous, and their past activities justify the huge amount of resources expended to thwart their attempts at breaching our public and private systems. But it's not like they are acting alone. It's not just Russia or North Korea or some shady James Bond-esque villainous organization of criminal masterminds who have banded together to bring the world to its knees by disrupting the global iPhone charger cable market (though that would be truly horrifying). 

If they are sneaking up to the front door, we are the ones providing the key. 

That's the conclusion of a study done cooperatively by Dashlane, a password management company, and the Department of Computer Science at Virginia Tech. Dr. Gang Wang, Assistant Professor there, granted Dashlane's Analytics Team access to an anonymized database of 61.5 million publicly available passwords. The results were published in a paper called "The Next Domino to Fall: Empirical Analysis of User Passwords across Online Services," and the results will surprise absolutely no one: we, the users of all these systems, are complicit in our own problems. 

The researchers looked at the data, and found bad security practices made by those who create passwords, or in other words, you and me. There were obvious keyboard patterns, not-so-randomly chosen letters and numbers, popular brands, bands and teams, and expressions that, were you a contestant on "Wheel of Fortune," you could win a million bucks by getting just one letter. 

A high frequency of the sample included "Keyboard Walking." This is using adjacent letters, numbers, and symbols on the keyboard to create a, well, not so random password. Aside from "12345678" it also includes "1q2w3e4r" and "zaq12wsx." If those last two seem pretty random, take a look at a keyboard: each is composed of a key pattern on the left side you can replicate with one finger. It may save you a few seconds in the typing, but it will take hacker a fraction of that to break it. 

Another large subset was passwords related to love and swearing (though it's not really clear why the researchers conflated these two groups). In the first category, numerous entries were "iloveyou" and "lovelove." On the other side of the emotional ledger (oh, THAT'S the reason they put them together), the flip side of the coin comes up. And so an equally large part of the sample included "f*ckyou," "a**hole" and "bullsh*t." And yes, the last three do contain so-called "special characters," though that hardly makes them more secure.

Favorite brands had a big showing, with frequent entries of names such as "mercedes," "cocacola" and "snickers." Likewise pop culture was well represented with "spiderman," "metallica" and "starwars." (Odds are there has been a recent uptick in "blackpanther.") And you can infer the interests and allegiances of an entire subset whose frequent selections were "liverpool," "chelsea" and "arsenal." 

You might think that you're being clever when choosing one of these combinations, and that some guy named Vladimir or Ei-Bai would never think that you would use that particular key. But forget the image of a guy slaving over a keyboard trying different combinations seeing what will work. As an ethical hacker (one who does this on behalf of a company or agency as part of their security testing) explained to me, they don't actually think about it at all. They take a trove of potential accounts, a listing of the most popular passwords, set up a program to compare one against the other, press "enter" and head out for a pizza. When they get back, before they fire up Grand Theft Auto, they see if they got any hits. So "imbeautiful" is not going to stop anyone. 

Bank of America CEO Brian Moynihan was asked about cybersecurity and what his company was doing to insure the safety of their data. He said that that business unit is the only one in the company that doesn't have a budget. He didn't mean that they didn't have to account for the monies they spent. Rather, he meant that there was no set amount that they couldn't exceed if that's what it took to do that job. That's said, no matter how massive and sophisticated the lock is, it's easy to open if the key is "iloveme."

-END-

Marc Wollin of Bedford tries to make long and different passwords. His column appears regularly in The Record-Review, The Scarsdale Inquirer and online at http://www.glancingaskance.blogspot.com/, as well as via Facebook, LinkedIn and Twitter.

No comments: