I remember having a conversation with a friend many, many years ago, back when the world wide web was still in its infancy and most people were just buying their first family computer. Back in the halcyon days.
We were talking about passwords, and my friend volunteered proudly that his password was “appletree”, he thought it was brilliant. He used it everywhere, he never forgot it. If he ever had to update his password and was restricted from using the previous one, he simply used “peartree” instead. Simple.
You might think that in 2024, this is an absurd thing to bring up. We’ve all changed. We’ve got wiser to the dangers of the modern world. Applications and websites no longer let you enter passwords as simple as this anyway. We now use stronger passwords that are harder to guess. And we are all, most definitely, computer literate, even our 80-year-old parents and our teenage sons and daughters. Yes sir. No weak link in this chain.
But really, what is the difference between “appletree” and “poochie726” (one’s adorable poodle, plus said poodle’s D.O.B)? Are you telling me that you have never had (or, dare I say...still have!) a password like this? I just don’t believe you. Taking it a step further, if we generate a strong password, and come up with this: “F_(sLOI:%QI^C]{4” What is the point of using “F_(sLOI:%QI^C]{4” to protect your login, if I know that you are using “F_(sLOI:%QI^C]{4” to protect your login?
It is only strong if it is unknown, and, not easy to guess by brute force. An apartment block would not use a single key to open every door in the building, so what makes you think that “poochie726”, nay “p00ch!3726” for argument's sake, is ok to use for 100 different accounts that span both your personal life and your work life?
Why are we here?
Even when people understand that they need to use strong passwords, it doesn’t change the fact that people are faced with the challenge of remembering passwords daily. It quite simply becomes impossible without a password manager, and so people choose to come up with one or two really good ones, and then they use these everywhere. This leaves them open to a type of cyberattack called Credential Stuffing.
Credential Stuffing is when a hacker has a list of known username/password combinations that they “acquired” (perhaps the result of a previous data breach), and that they then use to try to log in to many other, different website and services. Sometimes they get lucky, hit the jackpot, and find an appletree-kinda person. It might be that you signed up to a very insecure website 10 years ago that you no longer use or care about, and that this website was part of a data breach (pause – please go and check, I’ll wait). But if you are still using the same password as you did back then, then it means that a hacker could very easily gain access to other accounts and data that you rely on in 2024. You might think that this type of attack would never work. But it does, and it is happening a lot. It is a growing trend (with a 45% year-on-year increase), that relies on human nature’s laziness and reliance on convenience.
What can we do about this?
What can we, TeamPassword, do about this? For you? Pretty much nothing, unless you meet us in the middle. Look what happened to Norton LifeLock or Nintendo. Sure, we have security controls in place on our service to protect you from what happened with those other companies, but does each of the 100 services you use have the same controls in place? Does each of these 100 services you use give you the option of MFA? And did you enable that MFA on all 100 services?
The only solution to this problem is for you to take responsibility away from the services you use, and into your own hands. Let go of the apple tree and get into a new habit, that looks like this:
- Use a password manager.
- Generate a random, strong password for every service you use.
- Turn on MFA for every service you use.
- Turn off convenience tools such as the “remember this password” feature of browsers and the “stay signed in for 6 years” checkboxes (ok that one is a joke, but you get the point).
- Spend 10 minutes at the start of each work day signing in securely to everything. Not a big deal. If you follow these steps, you and the company you work for will be safe against Credential Stuffing attacks, and the only stuffing that you will need to worry about will be the turkey on Christmas day.
Conclusion
The important thing to remember about cybersecurity, is that when you read about data breaches and cyberattacks, they are often so avoidable. But more than that, we have to raise the tide, and all become aware of the threats, because there only needs to be one way in for an attacker. You might be following all these precautions, but is everybody in your team, everybody in your family, doing the same?
Oh, and that friend with the “appletree” password. I once asked him how he came up with it. He told me: “Oh, I copied the idea from another friend, they had an apple tree outside their house and told me they used it as their password”. True story.
