Why is still something we dispute???
I have been working with IT Security for many years, actually worked for the first Swedish company who publicly announced that they had been hacked. Guess how the intruders got in through our modem pool? (drum roll) ----> Username + static password!
This was over 30 years ago!
How come we are still stuck with the same, extremely poor, way to secure our assets?
The sad fact is that most “people” don’t care about their IT Security, they just want to get on with their day.
I’d like to compare IT with the car industry.
When cars were first introduced, there were no rules, no driver’s licenses, no street lights, etc. On top of that you had to make sure you brought spare parts and mechanical knowledge to keep the car going. Plus, of course, not to mention that driving the car was a real danger for both the driver, passengers as well as pedestrians. Who knew if those brakes would function the next time?
Fast forward to now. Take a modern car with all its security features, a sane driver with a driver’s license following the regulations (keep to the speed limit, follow the street signs, stay in your lane, etc). I would argue that it is extremely difficult to get yourself injured or killed under these circumstances.
How many people drive around with a driver’s license, an inspected car, air bags, ABS, etc? I’d say the majority is following the rules or “best practices”. Why is that?
Hmm, maybe because it is illegal to drive without a license?
Maybe you would fell unsafe driving around in a car without functioning headlights?
Whatever it is, there is a certain threshold of security we want to see before driving away in a car and this I would call “common sense”. Ever heard of that?
But, when we talk about security in IT, it seems like we prefer to totally forget about “common sense” and instead just go for the easiest way out. Security is just a hinder.
But, as the article points out, one of main entry points for successful attacks is through username/passwords, and I cannot understand how we still can argue all day long about how important and vital it is too keep this big vulnerability in our IT systems.
For elderly people (older than myself ) the way I have done it is by using common password manager vaults and/or multiple authentication methods. For instance, I have linked both my older relatives devices as well as one of my own devices to their accounts. That way I can help them to log in when needed. And, this is a relief for all of us. Just imagine being able to help your father without having to travel every time!
Since we are moving towards password-less solutions, the need to remember passwords (and usernames) is going away. I am a big fan of this technology since it truly makes our life more secure and easier (yes, I hear the arguments against easy, but once you are over the hill, the pastures are green. I made it over that hill years and years ago..)
For myself, I have 100’s of accounts, mixtures of all kinds of logins but I don’t have to remember any password. If the service I log in to only supports username/password, I keep this in my password vault and for the most part enjoy automated login. For all other logins, I am using an app or a physical security key.
My hope is to one day find that the world has become a safe place!