Master of Cyber Stupidity.
Collectively, we have cognitive dissonance when it comes to internet security. Part is our personal responsibility but a larger portion is exacerbated by those who provide resources and set the compliance rules.
To quickly example cognitive dissonance:
- We know that smoking tobacco can cause cancer.
- We shouldn’t consume tobacco products.
- But we search for a ‘safe’ cigarette and tobacco alternative
- We know that processed foods can cause obesity and diabetes.
- We should consume more fresh fruits vegetables and eat smaller portions.
- But we continue to purchase processed foods, but look for the label ‘healthy’ and ‘lite’.
- We know we should use strong user name and password.
- We should use: 1.) a cryptic user name, 2.) strong passwords and they should be 3.) different on every site.
- But what we want is a bulletproof and password-free authentication.
The question is this. How much of security is the end user’s doing and how much is forced stupidity via compliance?
Strong complex passwords and passwords being different on every site is a discussion tabled for later posts. Those items are user-centric and this is about ‘compliance required stupidity.’
How many, as a percentage of all,websites require you to use either 1.) your real name, 2.) your online nickname, 3.) your email address or some combination of 1, 2, or 3?
Considering user name as ½ of authentication security it would seem logical that it should be used. To find out lets use Bruce Wayne aka. Batman and do some examples.
Bruce Wayne registers at some website as email@example.com, or some alternative like bruce@… bruce.w@… b.wayen@… (with password) or he logs in as Bruce Wayne (real name) or because he is paranoid and wants to hide his identity and his alter-ego as Batman, he uses the alias identity of SuperFly.
On every site he registers his email is part of the login process, ostensibly for resetting passwords, but it is a clear and present danger.
Any hacker can see Bruce’s activity published as Bruce or SuperFly and draw a direct correlation to ferret out the login name/email. Simply find a site that you know requires an email as a login and bang away with a brute force effort (try every combination of characters and numbers) till you are granted access. This is relatively easy.
Public comments posted by Bruce are shown as comments by ‘Bruce Wayne’ or as ‘SuperFly’. It shouldn’t take but a few minutes for a skilled cybercriminal to figure out.
Someone wanting to access Bruce’s accounts needs only to do enough research to draw a correlation between Bruce, SuperFly and they will have Bruce’s email address. Why? Because email is the common username on many other sites.
½ of the problem of compromising Bruce Wayne’s accounts is solved, the email address. Who is responsible for this stupidity?
Knowing the email address for Bruce, a cyber criminal need only find a site where Bruce is registered that has high tolerance and execute the password attack.
That is frankly stupid. It is pervasive.
Google, Facebook, and your Amazon accounts have lost ½ of the possible security by compliance forced stupidity. Can we blame Bruce for not having a strong password? They do. Isn’t that shifting the blame from the incompetent website or enterprise owner to Bruce. When Bruce is compromised it may not be his fault at all.
We need to eliminate the user name and password! Here’s how.
BPID is on a mission to eliminate the password in 2016. We are seeking partners to assist in making password-free a reality. Our asymmetrical data system makes eliminating the password possible without compromising security or convenience. Stay aware of our progress, please join us by signing up for our news at bpidsecurity.com.