{"id":237447,"date":"2021-04-28T15:00:01","date_gmt":"2021-04-28T12:00:01","guid":{"rendered":"https:\/\/en.buradabiliyorum.com\/the-problem-with-passwords-is-people-cloudsavvy-it\/"},"modified":"2021-04-28T15:00:01","modified_gmt":"2021-04-28T12:00:01","slug":"the-problem-with-passwords-is-people-cloudsavvy-it","status":"publish","type":"post","link":"https:\/\/buradabiliyorum.com\/en\/the-problem-with-passwords-is-people-cloudsavvy-it\/","title":{"rendered":"#The Problem With Passwords is People \u2013 CloudSavvy IT"},"content":{"rendered":"<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_84 counter-hierarchy ez-toc-counter ez-toc-custom ez-toc-container-direction\">\n<p class=\"ez-toc-title\" style=\"cursor:inherit\">Table of Contents<\/p>\n<label for=\"ez-toc-cssicon-toggle-item-6a291bd419a4f\" class=\"ez-toc-cssicon-toggle-label\"><span class=\"\"><span class=\"eztoc-hide\" style=\"display:none;\">Toggle<\/span><span class=\"ez-toc-icon-toggle-span\"><svg style=\"fill: #dd3333;color:#dd3333\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" class=\"list-377408\" width=\"20px\" height=\"20px\" viewBox=\"0 0 24 24\" fill=\"none\"><path d=\"M6 6H4v2h2V6zm14 0H8v2h12V6zM4 11h2v2H4v-2zm16 0H8v2h12v-2zM4 16h2v2H4v-2zm16 0H8v2h12v-2z\" fill=\"currentColor\"><\/path><\/svg><svg style=\"fill: #dd3333;color:#dd3333\" class=\"arrow-unsorted-368013\" xmlns=\"http:\/\/www.w3.org\/2000\/svg\" width=\"10px\" height=\"10px\" viewBox=\"0 0 24 24\" version=\"1.2\" baseProfile=\"tiny\"><path d=\"M18.2 9.3l-6.2-6.3-6.2 6.3c-.2.2-.3.4-.3.7s.1.5.3.7c.2.2.4.3.7.3h11c.3 0 .5-.1.7-.3.2-.2.3-.5.3-.7s-.1-.5-.3-.7zM5.8 14.7l6.2 6.3 6.2-6.3c.2-.2.3-.5.3-.7s-.1-.5-.3-.7c-.2-.2-.4-.3-.7-.3h-11c-.3 0-.5.1-.7.3-.2.2-.3.5-.3.7s.1.5.3.7z\"\/><\/svg><\/span><\/span><\/label><input type=\"checkbox\"  id=\"ez-toc-cssicon-toggle-item-6a291bd419a4f\" checked aria-label=\"Toggle\" \/><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/buradabiliyorum.com\/en\/the-problem-with-passwords-is-people-cloudsavvy-it\/#Passwords_and_Human_Nature\" >Passwords and Human Nature<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/buradabiliyorum.com\/en\/the-problem-with-passwords-is-people-cloudsavvy-it\/#The_Most_Frequently_Used_Passwords\" >The Most Frequently Used Passwords<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/buradabiliyorum.com\/en\/the-problem-with-passwords-is-people-cloudsavvy-it\/#Password_Managers_and_Policies\" >Password Managers and Policies<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/buradabiliyorum.com\/en\/the-problem-with-passwords-is-people-cloudsavvy-it\/#Password_Managers_Take_Away_a_Lot_of_the_Pain\" >Password Managers Take Away a Lot of the Pain<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/buradabiliyorum.com\/en\/the-problem-with-passwords-is-people-cloudsavvy-it\/#Two-Factor_Authentication\" >Two-Factor Authentication<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/buradabiliyorum.com\/en\/the-problem-with-passwords-is-people-cloudsavvy-it\/#Practical_Steps_to_Take\" >Practical Steps to Take<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n<p><strong>&#8220;#The Problem With Passwords is People \u2013 CloudSavvy IT&#8221;<\/strong><\/p>\n<div id=\"article-content-area\">\n<figure style=\"width: 700px\" class=\"wp-caption alignnone\"><img loading=\"lazy\" decoding=\"async\" class=\"wp-image-10887 size-full\" data-pagespeed-lazy-src=\"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/04\/0e8109e5.png?width=1200&amp;trim=1,1&amp;bg-color=000&amp;pad=1,1\" alt=\"\" width=\"700\" height=\"350\" src=\"https:\/\/www.shutterstock.com\/image-photo\/password-box-internet-browser-1687823164\" data-credittext=\"Shutterstock\/Frame Studio\" onload=\"pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\" onerror=\"this.onerror=null;pagespeed.lazyLoadImages.loadIfVisibleAndMaybeBeacon(this);\"\/><figcaption class=\"wp-caption-text\"><span class=\"imagecredit\"><a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.shutterstock.com\/image-photo\/password-box-internet-browser-1687823164\">Shutterstock\/Frame Studio<\/a><\/span><\/figcaption><\/figure>\n<p>Passwords have problems. They can be too weak, reused on multiple systems, deliberately shared with other users, and <a href=\"https:\/\/buradabiliyorum.com\/en\/category\/social-mediaa\/\" data-internallinksmanager029f6b8e52c=\"1\" title=\"Social Media\" target=\"_blank\" rel=\"noopener\">social<\/a>ly engineered. But that\u2019s not the password\u2019s fault. The problem is the people.<\/p>\n<h2 id=\"passwords-and-human-nature\"><span class=\"ez-toc-section\" id=\"Passwords_and_Human_Nature\"><\/span>Passwords and Human Nature<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Passwords may be children of the flower-power era, but we can\u2019t be dippy-hippy and free-spirited with them. Ever since\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/en.wikipedia.org\/wiki\/Fernando_J._Corbat%C3%B3\">Fernando J. Corbat\u00f3<\/a>\u00a0invented the password to provide some privacy and security for users of the\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/en.wikipedia.org\/wiki\/Compatible_Time-Sharing_System\">Compatible Time-Sharing System<\/a>\u00a0multi-user computer in the early 1960s, people have had problems with picking strong, unique passwords.<\/p>\n<p>Human nature means many people prefer convenience to security. It\u2019s called security friction. It\u2019s the push-back you get when a security enhancement requires a change of workflow, an additional step, or some thought and effort on the part of the user.<\/p>\n<p>Having a single password is easier, right? You only need to remember one thing. You can use it everywhere and you can get really fast at typing it. If you\u2019re forced to change your password periodically just change the number or the date you\u2019ve tagged on the end. If a colleague wants to use your account, well why not hand over your credentials?<\/p>\n<p>Some of the blame sits with the password owners, obviously. But perhaps some of the blame sits with those of us who are failing to get through to these users. We need to figure out how to change our message so that its content is embraced and adopted instead of being viewed as an annoyance and ignored.<\/p>\n<p>And we know it is being ignored. A 2021 report by\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"http:\/\/redirect.viglink.com\/?u=https%3A%2F%2Fnordpass.com%2F&amp;key=204a528a336ede4177fff0d84a044482\">NordPass<\/a>\u00a0looked at a database of 275 <em>million<\/em> passwords, and all the usual suspects are still present in the list of most frequently used passwords.<\/p>\n<h2 id=\"the-most-frequently-seen-passwords\"><span class=\"ez-toc-section\" id=\"The_Most_Frequently_Used_Passwords\"><\/span>The Most Frequently Used Passwords<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Whenever there is a data breach the exposed data\u2014sooner or later\u2014turns up on the dark web. It might be for sale or, like the <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.businessinsider.com\/stolen-data-of-533-million-facebook-users-leaked-online-2021-4?r=US&amp;IR=T\">533 million personal records of Facebook users<\/a>, is freely available. Different organizations take copies of the breached databases and extract the email addresses and passwords. The most well-known of these is the\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/haveibeenpwned.com\/\">Have I Been Pwned<\/a>\u00a0website.<\/p>\n<p>It provides a search facility that lets you check whether your email has been caught in any data breaches. If it has, you\u2019re told which websites or organizations the data came from. You can change your password for those accounts and secure them again. And everywhere else you\u2019ve used that same password.<\/p>\n<p>This is the list of the top ten most popular passwords found in data that was breached in 2020. The numbers in parentheses are the number of times the password was found in the database.<\/p>\n<ol type=\"1\">\n<li><strong>123456<\/strong> (2,543,285)<\/li>\n<li><strong>123456789<\/strong> (961,435)<\/li>\n<li><strong>picture1<\/strong> (371,612)<\/li>\n<li><strong>password<\/strong> (360,467)<\/li>\n<li><strong>12345678<\/strong> (322,187)<\/li>\n<li><strong>111111<\/strong> (230,507)<\/li>\n<li><strong>123123<\/strong> (189,327)<\/li>\n<li><strong>12345<\/strong> (188,268)<\/li>\n<li><strong>1234567890<\/strong> (171,724)<\/li>\n<li><strong>senha<\/strong> (167,728)<\/li>\n<\/ol>\n<p>According to the\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.experte.com\/password-check\">Experte Password Checker<\/a>\u00a0all of these can be cracked in less than one second, apart from \u201cpicture1\u201d which would take about one minute.\u00a0But the biggest threat is that these passwords are already in the dark web in databases ready to be used as ammunition in credential stuffing attacks.<\/p>\n<p>Whether the password in the database came from one of your accounts or not, it\u2019ll still work on your account. The top entry \u201c123456\u201d was seen in the breach databases 2.5 million times, but it had been exposed in 23.5 million breaches.<\/p>\n<p>It\u2019s as astonishing as it is depressing that people are still using passwords like this today. And the same thing goes for people creating platforms that will allow users to create passwords like this. Bad passwords should be tr<a href=\"https:\/\/buradabiliyorum.com\/en\/category\/download-scripts-themes-apps\/\" data-internallinksmanager029f6b8e52c=\"9\" title=\"Download Scripts &amp; Themes &amp; Apps\" target=\"_blank\" rel=\"noopener\">app<\/a>ed and rejected automatically at the time of their creation. If the users aren\u2019t going to follow guidance under their own cognizance, system designers need to make it impossible for accounts to be created with insecure passwords.<\/p>\n<p><strong>RELATED:<\/strong> <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.cloudsavvyit.com\/5808\/how-to-check-if-staff-emails-are-in-data-breaches\/\"><strong><em>How To Check If Staff Emails Are in Data Breaches<\/em><\/strong><\/p>\n<p><\/a><\/p>\n<h2 id=\"password-managers-and-policies\"><span class=\"ez-toc-section\" id=\"Password_Managers_and_Policies\"><\/span>Password Managers and Policies<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>In the workplace, you can provide a password policy that dictates what is and what isn\u2019t an acceptable password. Tighten up password checking rules on all systems so that robust passwords are enforced. Promote the use of pass-phrases that link three or four unrelated words connected by punctuation.<\/p>\n<p>Although it might seem counter-intuitive, consider following the advice of the\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/pages.nist.gov\/800-63-3\/sp800-63b.html#sec5\">National Institute of Standards and Technology<\/a>\u00a0(NIST), the UK\u2019s\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.ncsc.gov.uk\/blog-post\/problems-forcing-regular-password-expiry\">National Cyber Security Centre<\/a>\u00a0(NCSC), and\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"http:\/\/redirect.viglink.com\/?u=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fmicrosoft-365%2Fadmin%2Fmisc%2Fpassword-policy-recommendations%3Fview%3Do365-worldwide&amp;key=204a528a336ede4177fff0d84a044482\">Microsoft<\/a>\u00a0and <em>remove<\/em> requirements for passwords to be changed periodically.<\/p>\n<p>Regular password changes add nothing to security and inadvertently encourages bad password choices. It coerces users to retain a base password and modify it each time a change is forced, usually by adding a number or a date to it.<\/p>\n<p>It\u2019s much better for people to pick robust, unique passwords and retain them indefinitely. Passwords should only be changed when the user leaves the organization or there is suspicion that the password has been compromised.<\/p>\n<h2 id=\"password-managers-take-away-a-lot-of-the-pain\"><span class=\"ez-toc-section\" id=\"Password_Managers_Take_Away_a_Lot_of_the_Pain\"><\/span>Password Managers Take Away a Lot of the Pain<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Encourage or downright enforce the use of a company-approved password manager. These will create unique, robust passwords for every account, for every user. Extremely strong passwords are automatically created for you, automatically entered for you, and you only have to remember one password\u2014the one for the password manager.<\/p>\n<p>Password managers are multi-device and cross-platform, so you can benefit from them on all of your devices. The passwords are stored using a type of encryption that requires a key from your device to decrypt them. Even if the password manager company suffers a breach, your passwords are not exposed.<\/p>\n<p>Password managers also provide other security benefits too. Phishing emails often contain links that send the unwary user to a lookalike website that harvest credentials. The password manager will not enter their credentials because it won\u2019t recognize the bogus URL.<\/p>\n<p><a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.howtogeek.com\/141500\/why-you-should-use-a-password-manager-and-how-to-get-started\/\"><\/p>\n<p><strong>RELATED:<\/strong> <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.howtogeek.com\/141500\/why-you-should-use-a-password-manager-and-how-to-get-started\/\"><strong><em>Why You Should Use a Password Manager, and How to Get Started<\/em><\/strong><\/a><\/p>\n<p><\/a><\/p>\n<h2 id=\"two-factor-authentication\"><span class=\"ez-toc-section\" id=\"Two-Factor_Authentication\"><\/span>Two-Factor Authentication<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>Two-factor authentication adds another layer of protection. It requires two things from the user. Something they\u00a0<em>know<\/em>, their password, with something they\u00a0<em>have<\/em>, such as their smartphone. An app on your smartphone will display a one-off code that must be entered along with your password.<\/p>\n<p>This means that even if a password is exposed in a breach the threat actors won\u2019t have access to that account. Note that SMS-based authentication is no longer considered secure. Use systems that require a fob, dedicated device, or smartphone application.<\/p>\n<p>Multi-factor authentication takes it a step further. As well as something you know and something you have, it requires something you\u00a0<em>are<\/em>, such as the owner of your unique fingerprint, iris, or voice.<\/p>\n<p>Unfortunately, two-factor authentication isn\u2019t universally available. There\u2019s a great many systems\u2014almost certainly the majority of systems\u2014that are still reliant on the time-honoured ID and password pair of credentials. That\u2019s changing slowly, but the ID and password model of authentication is going to be around for a long, long time.<\/p>\n<p><strong>RELATED:<\/strong> <strong><em>What Is Multi-Factor Authentication (MFA), And How Is It Different from 2FA?<\/em><\/strong><\/p>\n<h3 id=\"practical-steps-to-take\"><span class=\"ez-toc-section\" id=\"Practical_Steps_to_Take\"><\/span>Practical Steps to Take<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<ul>\n<li><strong>Policies<\/strong>: You need to capture your requirements for acceptable passwords and the rules for safeguarding them in a policy document. If it isn\u2019t written down it isn\u2019t a policy. It should cover the strength of passwords, pass-phrases, and give guidance on the protection of passwords. Never write them down, never share them, and never use them on more than one system.<\/li>\n<li><strong>Password Managers<\/strong>: Specify which are your company-approved password managers, and encourage or enforce their use. There are many to choose from.\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"http:\/\/redirect.viglink.com\/?u=https%3A%2F%2Fnordpass.com%2F&amp;key=204a528a336ede4177fff0d84a044482\">NordPass<\/a>,\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/bitwarden.com\/pricing\/\">Bitwarden<\/a>, and\u00a0<a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/www.anrdoezrs.net\/links\/3607085\/type\/am\/sid\/10819\/https:\/\/1password.com\/\">1Password<\/a>\u00a0are all good products with a free plan or a free trial so that you can see whether they suit your needs.<\/li>\n<li><strong>Two-Factor and Multi-Factor Authentication<\/strong>: Where two-factor or multi-factor authentication is available, use it. And remember that just because you have added another layer of authentication the quality, protection, and uniqueness of your passwords are just as important as ever.<\/li>\n<li><strong>System Design<\/strong>: If you write software make sure weak passwords are filtered out and rejected as accounts are created. You can include reject-lists of passwords than can never be used. You can also search only online resources such as Have I Been Pwned to check whether a password has been found in previous data breaches. You can <a rel=\"nofollow noopener\" target=\"_blank\" href=\"https:\/\/haveibeenpwned.com\/Passwords\">download the entire database of compromised passwords<\/a> from Have I Been Pwned if you wish to host it locally.<\/li>\n<li><strong>Education<\/strong>: For as long as \u201c123456\u201d crops up in lists of the most commonly used passwords we\u2019ve got to keep trying to drum home the essential basics about passwords.<\/li>\n<\/ul>\n<\/div>\n<blockquote><p><strong><span style=\"color: #ff6600;\">If you liked the article, do not forget to share it with your friends. Follow us on\u00a0<span style=\"color: #ff0000;\"><a style=\"color: #ff0000;\" href=\"https:\/\/news.google.com\/publications\/CAAqBwgKMLG0nwswvr63Aw\" target=\"_blank\" rel=\"nofollow noopener noreferrer\">Google News<\/a><\/span>\u00a0too, click on the star and choose us from your favorites.<\/span><\/strong><\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\">For forums sites go to <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/forum.buradabiliyorum.com\/\" target=\"_blank\" rel=\"noopener\">Forum.BuradaBiliyorum.Com<\/a><\/span><\/strong>\n<\/p><\/blockquote>\n<blockquote>\n<p style=\"text-align: center;\"><strong>If you want to read more like this article, you can visit our <span style=\"color: #ff9900;\"><a style=\"color: #ff9900;\" href=\"https:\/\/en.buradabiliyorum.com\/technology\/\" target=\"_blank\" rel=\"noopener\">Technology category.<\/a><\/span><\/strong><\/p>\n<\/blockquote>\n<p><span style=\"color: black;\"><a style=\"color: #ff9900;\" href=\"https:\/\/www.cloudsavvyit.com\/10819\/the-problem-with-passwords-is-people\/\" target=\"_blank\" rel=\"noopener\">Source<\/a><\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>&#8220;#The Problem With Passwords is People \u2013 CloudSavvy IT&#8221; Shutterstock\/Frame Studio Passwords have problems. They can be too weak, reused on multiple systems, deliberately shared with other users, and socially engineered. But that\u2019s not the password\u2019s fault. The problem is the people. Passwords and Human Nature Passwords may be children of the flower-power era, but&#8230;<\/p>\n","protected":false},"author":1,"featured_media":237448,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"fifu_image_url":"https:\/\/www.cloudsavvyit.com\/p\/uploads\/2021\/04\/0e8109e5.png","fifu_image_alt":"","footnotes":""},"categories":[18],"tags":[],"class_list":["post-237447","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology"],"_links":{"self":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/237447","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/comments?post=237447"}],"version-history":[{"count":0,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/posts\/237447\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media\/237448"}],"wp:attachment":[{"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/media?parent=237447"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/categories?post=237447"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/buradabiliyorum.com\/en\/wp-json\/wp\/v2\/tags?post=237447"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}