Security Experts:

If Passwords Received as Much Attention as PSI We'd All Be More Secure

Security Will Never Enter the Consciousness of the American Public Quite Like Football.. 

Here we are, a couple of weeks before the kick-off to the 2015 NFL season, and the “Deflategate” scandal is still dominating the headlines. In case you haven’t heard (which would be hard to believe at this point), the Patriots were accused of purposely deflating footballs below the league limit of 12.5 PSI prior to the AFC Championship game against the Colts. As a result, the team was issued a fine and the loss of two draft picks while quarterback Tom Brady has been suspended for the first four games of the 2015 season for being “generally aware” of the practice. He is appealing in federal court as I write this.

Football

Now full disclaimer, I live and work in the Boston area where Patriots football reigns supreme and Tom Brady is the golden boy that can do no wrong. Rest assured this article will not be arguing the merits of the case as that has been done to death and then some by every other media outlet in the English-speaking world. The purpose of this article is to actually shine the light on a continuing security problem that actually makes a considerable difference in our daily lives and use Deflategate as a point of comparison as to how quickly and simply we could fix a major security flaw if media and users would simply pay attention.

The country has become obsessed with a couple of pounds per square inch (PSI) in a football, yet seems to have no issue ignoring simple steps that could greatly improve our overall cyber security, specifically around the issue of weak passwords. This is a topic that security professionals have been talking about for years and imploring their workforces to take more seriously. In the past six months, football fans, especially in New England, have turned themselves into amateur physicists spouting about the Ideal Gas Law and waxing poetic about the atmospheric conditions and their effect on air pressure. Yet many of them still use such complex algorithms for network passwords such as: password, or password123 or ABC123. With security like this, it’s hard to believe we aren’t winning the cyber war.

To highlight the disparity between topics that matter and topics that are essentially useless but seem to occupy a great deal of mindshare, one only needs to conduct a quick Google search. A search for news about weak passwords, a legitimate security concern to our critical infrastructure, garnered 9,670 results. Compare that to the 948,000 results for news about Deflategate. While I recognize that a juicy conspiracy story is always a good seller, I would also point out that real conspiracies to steal valuable information and inflict harm play out in the cyber world everyday as opposed to the made up conspiracy that the NFL and the media have been trying to sell us for the past six months plus (OK, maybe my bias is coming through a little).

It’s clear that Deflategate is winning the popularity contest, but how does it rank when it comes to measuring actual importance? Consider that in the first half of the AFC title game, while the Patriots were supposedly “cheating”, they built a 17 – 7 lead and Brady’s passing statistics were pedestrian by his standards. In the second half, with footballs that were actually verified as properly inflated, the Pats outscored the Colts 28 – 0, while Brady’s accuracy, number of yards and touchdowns actually increased. So it would seem that the inflation of the ball had little impact on the outcome of the game.

How important are weak passwords in the game of cyber security? A recent report from Trustwave found consumers still are leaving themselves vulnerable to attacks by having weak passwords. The Trustwave report, which investigated more than 500 data compromises in 15 countries, found 28 percent of online security breaches resulted from weak passwords. Think about that for a moment, nearly one in three breaches of all security breaches are the result of weak passwords. Talk about a game changer. Other interesting tidbits from the Trustwave report worth sharing and communicating to your workforce. “Password1” is not strong enough, but perhaps no surprise remains the most common password in use.

Other bastions of password strength “Welcome1,” “[email protected],” “Summer1!” and “password” round out the top five. According to Trustwave research, passwords that are eight characters or less take only one day to crack. By adding just two characters, it can take hackers 591 days to crack. In other words, you can increase your security 591 percent just be requiring that all users add an additional two characters to their passwords. That certainly sounds simpler than understanding barometric pressure inside of football stadium.

In the end, security will never enter the consciousness of the American public quite like football and I understand that. The point of this article is to highlight that we have a serious problem in security that users continue to take way too lightly. As pointed out in the Trustwave report, simple changes can go a long way in making us more secure. So forget about the difference that a little less PSI in the football means to the outcome of a football game and think instead about the huge impact that a couple extra characters added to your password would make to the security of your business.

view counter
Mark Hatton is president and CEO of CORE Security. Prior to joining CORE, Hatton was president of North American operations for Sophos. He has held senior roles with companies ranging from venture capital-backed, early-stage software vendors to a Fortune 500 information technology services and distribution organization. Hatton holds an MBA from Boston University, Massachusetts and a BA Communication from Westfield State College, Massachusetts.