Happy World Password Day! (Yeah, there really is a day for everything, but I can’t complain about the increasing number of days that highlight better cybersecurity practices.) Much as we dislike them and complain about having so many of them, we really can’t live without passwords, not if we want to have any kind of online presence or conduct business securely. The importance of protecting our passwords has been highlighted today with the announcement of the Google Docs phishing scam making the rounds. As Travis Smith, senior security research engineer at Tripwire, explained in an email comment:
Someone created a malicious app in Google Docs. While it had an official sounding name, it was far from it. Once you click on the link, the application will ask for permissions to your email account. If granted, it will begin to use your account to send out further spam emails. At this time, there does not appear to be anything malicious in the sense of stealing sensitive data; however having your account compromised in this manner can still make you feel violated.https://o1.qnsr.com/log/p.gif?;n=203;c=204663295;s=11915;x=7936;f=201904081034270;u=j;z=TIMESTAMP;a=20410779;e=i
Asks for permission also means wants your password. And even though Smith said that, as of right now, the Google Docs phishing scam may not be doing anything overly malicious, if we are handing over our password to one account, we are likely handing over an old familiar password that can access multiple accounts. A Telesign study found that 71 percent of accounts are protected by duplicate passwords and 46 percent of us are using passwords that are over five years old. Think about it – what might be in your Google account that could tip off a hacker to other, more lucrative accounts that share the password? How much of your company’s sensitive data may be connected to the Google account and password?
There are plenty of other password problems, of course. As Eran Cohen wrote in a Preempt blog post:
People reuse passwords. They rotate them. Add a digit to them. And even use identical or share passwords with others. . . . The problem is that only about [one percent] of people care and are aware that passwords are based on patterns and these patterns can be tracked or broken.
How do you know if your passwords are good enough? A couple of security companies have released tools to help you better gauge your passwords. KnowBe4 released a free Weak Password Test (WPT) tool that can identify the potential vulnerabilities in your passwords. And McAfee created a game to raise better password awareness.
Good password management isn’t rocket science, but the truth is, we all get lazy about them. Sometimes we need a reminder to take that first step toward one of the security practices we can control.
Sue Marquette Poremba has been writing about network security since 2008. In addition to her coverage of security issues for IT Business Edge, her security articles have been published at various sites such as Forbes, Midsize Insider and Tom's Guide. You can reach Sue via Twitter: @sueporemba