I don’t think I’d be going too far out on a limb to say there are hundreds of thousands, if not millions, of people like me who are finding it increasingly difficult to remember the unique user names and passwords for the plethora of systems we frequently access. It doesn’t matter if it’s one of the various online personal accounts I have (banking, credit cards, airlines, hotels, iTunes, Amazon, PayPal) or the many corporate systems that I access, all seem to require a unique user name and password. At last count, I have more than 35 different user IDs and passwords to keep track of.
In January, SplashData, a password management company, announced the 25 worst passwords of 2013 based on data posted online by hackers. The top three were pretty bad: “123456,” “password,” and “12345678.”
Ever since the advent of email, the three basic tenets of password security have been part of our faith in computers: Create user names and passwords that are hard to guess. Change your passwords regularly. Never use the same password twice.
But how many of us actually do that? As we become a people of the web, those traditions are harder to follow. Today, it seems that nearly every web application — from social media to online banking — requires us to create and remember strong passwords of a certain length that contain a combination of numbers, special characters, and uppercase and lowercase letters.
Just consider the time investment we make with more than 2 billion people regularly using the web. If each user spends just five seconds a day entering a password, more than 1,380 years of human effort is expended, according to Cormac Herley of Microsoft Research. That’s why Herley is calling for a more realistic approach to computer security. He suggests that we spend less time asking people to change their passwords and more time educating them on the safety of the websites they visit. “They should pay more attention to errors and warnings,” Herley writes, “and stop and think more before they click.”
At the same time, Herley says it’s important for IT staff to be honest in their analysis of cyber risk, and provide users with the information they need to be proactive about cyber safety. Too many warnings and reminders can be like the boy who cried wolf. In fact, some would argue that the scare tactics we use are suspect. From an insurance perspective, there’s still a relatively small amount of data on cyber claims and related costs. And according to Herley and his colleague at Microsoft Research, Dinei Florencio, the methodology in numerous cyber-damage surveys is far from sound.
Like most issues in life, developing the right cybersecurity plan is a balancing act. Yes, you should create a unique user name and a strong password that’s harder to guess than your birthday or a loved one’s first name — certainly something better than “password” or “123456.” And you should change it regularly. But at the same time, you should avoid scaring employees too much or sending them too many reminders to change their passwords. The only way to help make the cyber world a safer place is to empower people to make their own decisions about how to protect themselves. And of course, cyber insurance can also make a big difference if you ever become the victim of a cyber attack.
To learn more about cyber risk and cyber-liability insurance, please email me at sdougherty@iso.com. Also, make sure to follow me on Twitter @doughertyshawn.