Amongst the hubbub of the recent leak of LinkedIn passwords has come a piece of analysis from security experts about the most popular passwords (you can read a short piece from Forbes here.).
Now of course, by definition, the most popular passwords used for any website are going to be obvious ones. That so few even appear to be specific to the site is really worrying: my hunch is that a large proportion of folk use the same password for everything.
For years, IT had tended to put lots of security measures in place to protect corporate systems and data; most of these security measures have been both mechanistic and generally unintelligible to the end users. (As an aside, one of my bugbears is an automated timed log out on some of our internal systems which, because we have single sign on, merely takes you back to the home page at points when you need to be somewhere else).
There are two dangerous outcomes of this: first of all, overbearing security in a world of commodity, consumer Cloud services will lead to people taking possibly less secure, non-corporately sanctioned routes to get their job done (personal email, file sharing services and so on); and secondly, we have generated a number of generations of users who still don’t understand their own personal obligations when it comes to managing information security.
That latter point, I’d argue, is because security had generally been treated as a technical, not socio-technical issue. All of the bullshit pseudo militaristic language and impenetrable talk of key strength has missed the point… If your security depends on someone locking the door at night, it doesn’t matter how big the lock or strong the door if you haven’t taught them how to lock the door at night.
Major corporate brands today have primary channels of communication though social networks secured with nothing more than a single password, often shared amongst a number of people, and probably often no more complicated than “1234”. My challenge to the tech security world is not to make that more secure, but more to face up to the fact that no-one doing these kind of insecure practices understand why it might be an issue.
mmitII 
3 thoughts on “The big security gap: people”