Remote access has opened up a world of possibilities for everyone who uses a computer at home or work. Today, users can access their corporate network from a hotel room in Philadelphia. Network administrators can manage their company’s systems from home, no longer needing to pull their clothes on and groggily drive to the office at 3 A.M. Web-based access systems, Citrix and other thin-client technologies, and Outlook Web Access have made it possible to access many corporate networks from anywhere at any time.
With this convenience, however, comes an enormous amount of risk. Keylogging software, surreptitiously installed at 14 public Internet terminals in the Manhattan area, allowed an attacker to compromise the personal information and network access of dozens of people and organizations. One company based in Silicon Valley endured months of unauthorized access by a competitor before they discovered the breach. Last year, an organized identity theft ring victimized over 300 customers of a well-known financial institution, costing over $3 million.
The cause of all of these exploits—and indeed, the root cause of hundreds of corporate breaches, identity thefts, and millions of dollars lost every year—is the password.
The average computer user has dozens of accounts online and at their job. Access to nearly all of these systems requires a password. Most people can’t memorize different passwords for all their accounts, particularly if they only access certain applications once a month. Here are some ways average users combat their memory problems:
1. They choose one password for everything. Of course, if their password for their personal Web mail is compromised, chances are good that their company network password is compromised as well.
2. They write their passwords down. One online study revealed that over 30% of people surveyed wrote their passwords down and "hid" them: under their keyboards, on their staplers, or in their desk drawers.
3. They choose information they can easily remember. Many people—up to 35%, according to some experts—choose some piece of personal information: a name of a family member or pet, or a birthdate. The problem is, everyone knows your daughter’s name. A potential hacker can make small talk in the lobby with an employee—and come away with dozens of passwords to try.
4. They get clever. In one company’s password audit, 10% of passwords were "stud," "goddess," "cutiepie," or some other vanity password. Even more disturbing, 12% of passwords were "password"—and most of the users who chose it thought that it was a clever choice.
The problem is that hackers know all of this. Before they attempt personal information to crack a password, the first thing they try is "password." Hackers will also pretend to work at a company, striding confidently into the front doors with a nod of the head to the security desk or the receptionist. Any passwords on monitors or under keyboards are fair game. Once a hacker has cracked a password, they can view confidential documents or e-mails without the organization ever knowing about it.