This content is part of the Essential Guide: How to deal with Identity and access management systems
This article is part of our Essential Guide: How to deal with Identity and access management systems

If only security experts could persuade us to change passwords

The inability for most users to grasp the importance of the password is something that Nick Booth thinks needs to be better addressed

Some say the technology industry is dull. In fact, nothing could be further from the truth. Think how much they have contributed to the excitement of the nation.

Remember how the mobile phone companies pranked us all? They sent ‘smart phones’ to the entire nation without bothering to mention that they weren’t secure. There was a default password that needed changing, they whispered, on a piece of paper tucked away in a box full of millions of other piece of paper.

As a result of this prank, Britain enjoyed its biggest hacking outbreak ever. Practically the entire country was affected. Even if their personal lives weren’t splashed all over the tabloid newspapers and they weren’t robbed or targeted by blackmailers, they still had to pay for a massive public inquiry.

The banks have pranked us too, forcing us to use systems which aren’t secure. That’s provided many talking points too. Some people have had their lives totally trashed. You have to laugh or you might never stop crying.

Now it’s the turn of the Internet of Things industry to spook us. Taking their lead from the mobile tech firms, they have shipped out billions of devices for use in machine to machine networks. These run everything - from transport to defence, to manufacturing and the oil and gas industries. And guess what? Again they’ve been shipped out with default passwords with no firm instructions to change them.

So now all the world’s nasties, from hezbollah to hackers, has a chance to hijack the Internet of Things and turn it against us.

Now, hang on, a joke’s a joke.  I like a laugh as much as the next person, but it’s time to be serious. We don’t need any more mischief, so let’s pay attention to the security people, very few of whom display any sense of humour at all.

John Bambenek, threat intelligence manager at Fidelis Cybersecurity, certainly isn’t about to grab anyone’s attention with observational humour.

“Telecoms companies getting hit by cyber attacks is bad news,” says Bambenek, just in case any of us really thought it was hilarious. “ The modern day world is tied together by a web of connectivity and gaining access to this network has the potential to cause serious terror in the wrong hands.”

I daresay people already knew this. Neither was his next statement a revelation: “it’s security vulnerabilities such as this that can allow hackers to gain a foothold within the network.”

The problem is, he says, devices are being shipped with default passwords and open services that are trivial to exploit. Well, d’uh! However, while this is commedably dull and reassuringly patronising, it’s a pity he hasn’t supplied the one piece of information that would be really useful to everyone. How to stop it!

In the latest hacking outrage, the cause of the problem was that routers supplied to the names that have been dragged through the headlines because of high profile breaches came with default passwords. And nobody had the wit or the imagination to change the passwords.

Neither did the manufacturers involved make it their mission to ensure they did. Surely a strongly worded warning on the box would have helped. You know the type of thing: “Change this password or die!”. Couldn’t they have included some software routine to remind the managers to change the passwords?

What about offering an incentive, like a random prize to any customer who has demonstrably changed the password to something uncrackable.

IT companies surely must have the wit to be able to do this. They’ve played enough jokes on us in the past.

Read more on Remote Access Security