I am sure all of us have at some point written down a password and as the festive season is underway many will give and receive password diaries as the ideal way to store and remember the login credentials we rely on every day. The problem with writing down passwords, as the YouTube sensation, Mr Beast, was so close to discovering, is that the perfect gift for someone who has everything might just end up leaving them with nothing.
Mr Beast (not his real name!) told the story of arriving home to find that he had been robbed. He recalled the panic of remembering that the private key for his Bitcoin (a string of letters and numbers similar to a password), was written down on his desk next to his laptop. The story has a happy ending because whilst he lost other items, they didn’t take the laptop or get access to his millions in cryptocurrency. Today he is well on the way to becoming the first YouTube billionaire.
The problem is that passwords are already an inherently weak form of authentication, all too often made worse by poor choices. The password 123456 tops almost every most popular password list, and then there is the problem of password sharing and writing them down. The fact that the Authlogics Password Breach Database contains 4.9 billion compromised clear text credentials is astounding, but with so many organisations not having control over how passwords are managed and those who use them favour convenience, it should not be too surprising.
Keeping passwords together in a diary is akin to keeping money under the mattress rather than in a bank account. It may start with using it to keep track of perceived low-value passwords such as those needed to keep track of an order (nothing that includes personal information or transaction data), but quickly it then gets used to jot down passwords for social media, online shopping and banking. Suddenly, the little book is the go-to for logging in, so it gets put in the bag that goes to work, college or university. Now it is being used to note down passwords for access to corporate and mission-critical systems, and as a result, the potential damage has escalated significantly.
Then one day they rummage through the bag, and it is missing. Maybe it was left on the table at the coffee shop, perhaps it was stolen, or it is now in a lost property office. It is at this point that it must be assumed that every account has the potential to be compromised. At best every account will need to be checked and the credential reset. At worst it has fallen into the wrong hands, and it has become the most expensive gift they ever received.
Those charged with protecting organisations from attack can’t stop friends and relatives buying employees from buying password diaries, nor can they stop them from using them. Even if guidance discouraging writing down passwords appears in the password policy that is gathering dust in the corner of the office. However, a Password Management System (PSM) can be a vital safeguard for any organisation using passwords (even if they are planning to switch to Multi-Factor Authentication in the future, to enjoy the benefits of passwordless, secure single sign-on for applications, whether on-premise or in the cloud). These systems ensure that breached passwords are rapidly pinpointed and corrective action is taken to create a new password that adheres to best practices. It is not only a technology but also a way to promote, encourage and enforce good password etiquette.
Passwords truly are the gift that keeps on giving, so perhaps another pair of socks might be a better present.