IT security often focuses on software flaws or tight network restrictions, but according to keynote speaker Drew McAdam from the RSA security summit in London, the problem could very often be due to the users themselves.
While McAdam is admittedly not an expert in IT security, he has made a name for himself with his method of ‘cold reading’ – using observation and behavioral analysis to read the body language of those he encounters. Using this method, he has proven capable of gaining sensitive information, like passwords and other valuable credentials from his subjects, typically without them realizing it. This type of information, warns McAdams, is becoming increasingly easier to find due to the prevalence of social media. The way most people tend to choose their passwords is based on their own personal upbringing, and are more often than not based on something easy to remember, such as a first pet’s name or the street the user grew up on. With this information easy to access on social media, hackers today are learning to exploit the users, and not the security system itself. According to Verizon’s 2015 Data Breach Investigation Report, 95% of attacks on web applications involved intruders simply walking in with stolen credentials. McAdam put this simply by quoting Houdini who once said, “Why pick the lock, when you can get the key?” Again, these keys are becoming easier to find with users publicly sharing their life stories on social media, and not following tighter regulations when choosing a password. Jonathan LeBlanc, global head of developer advocacy at PayPal, showcased some eye opening information about passwords in his presentation entitled, ‘Kill All Passwords’. LeBlanc has found that 40% of people have a password that is publicly listed in the top 100 passwords list and 14% of users have a password from the most used 10 list.
While people continue to use codes like Password123, hackers today will gladly thank them for easy access into their accounts. While the blame for relaxed security may be pointed at IT professionals, very often the issue is from the users themselves. McAdam recalled an infamously snarky error code used by long-suffering IT departments titled PEBKAC. This error code was used to describe issues caused by user incompetence. It stands for ‘Problem Exists Between Keyboard and Chair’. So the next time you’re creating a password for any account, remember to proactively help in defending your personal security, and do not allow yourself to become the problem itself.