The How, the Why, and the Origin of Password Days.
by Mark Burnett
It was February of 2012 and Syrian President Bashar al-Assad was under pressure by other Arab nations to step down and resolve his country’s civil war. But Assad defied this admonition and held fast to his power. Always looking for a cause, Anonymous stepped in and hacked some 78 inboxes of the Syrian Ministry of Presidential Affairs.
Some of those mail accounts had an all-too-familiar password: 12345.
12345 — along with its siblings 1234 and 123456 — are among the most frequently-chosen passwords, topped only by the single most common password: password. And this isn’t just some passing trend, these passwords were among the top back in a study I did in 2004 (which doesn’t seem that long ago until you realize Netflix was still sending you DVD’s in the mail in 2004).
This horrible password — we use it on our briefcases, bicycle locks, door codes, and voice mailboxes. It doesn’t matter if you are young or old, it does not see race, and it crosses all political boundaries. Chances are you yourself protect something somewhere with that predictable sequence of numbers: 1, 2, 3, 4, and 5.
Some time ago I took my son to visit a friend at an impressive gated community. The large front gate required entering a 5-digit pin to gain access. As my son called his friend to get the code, I thought I’d try one of my own: 12345. My son told his friend never mind as he watched the gate slowly swing open.
Weak user passwords have been the undoing of many well-planned security infrastructures. At one time we thought it would be a good strategy to force users to follow strict requirements: make them use numbers and symbols in addition to upper- and lower-case letters, force users to change their passwords every sixty days, and never let them use the same password twice.
But it turns out putting too many restrictions on user passwords leads to even weaker passwords that end up as monitor sticky notes across the company.
The Origin of Password Day
Years ago a client of mine struggled with continuous network intrusions and account takeovers yet never seemed able to stop them. But even after stronger and frequently-changed passwords these attackers kept getting back in. After some analysis we realized the problem was that they would change a few passwords but the attackers would use other passwords to get right back in. Once they were in, they re-acquired the other passwords that had been changed.
We decided the only solution was to change every single password all at once. It took an entire day to change passwords for every user, every router, every server, databases, ISP accounts, and even voice mailboxes (and yes, they did find some 12345's).
Surprisingly, that company-wide password change solved the problem — they never saw evidence that those attackers ever regained access.
Some time later I returned to the company and found they made that global password change an annual company tradition. All other work would stop, the boss bought a stack of pizzas, they cranked the music, and everyone sat down resetting passwords. They called it Password Day — and they looked forward to it.
How to Celebrate Password Day
Since then I have myself started celebrating password day. I have way too many passwords to change all at once but every month I take some time to go change some passwords. While I’m at it, I check privacy settings and enable two-factor authentication if available. My main goal is to never let any important passwords reach their first birthday — and many passwords I never let get older than a few months.
Your organization needs to start celebrating Password Day.
Make it a fun day where employees are happy to participate. Make it consistent and regular, even if you only do it once a year. Take the time to teach your employees techniques for stronger passwords.
Intel Security has taken the initiative to declare May 7th as World Password Day. This is a great opportunity to make May 7 your own company’s password holiday. Yes the banks will be open, the mail still gets delivered, and the phones will still ring.
But many of us will be celebrating quietly at our desks, diligently changing all our passwords.
Join us and celebrate World password Day on Thursday, May 7. Click to learn more about celebrating #PasswordDay, and simplifying the passwords in your life.
