In the day and age of cyberattacks, registering for any online service comes with a cost in time and mental effort. Passwords need to have combinations upper and lower case letters, numbers, and “special characters” – whatever those are! If they’re easy to use and remember, you’re probably doing it wrong.
This doesn’t stop networks from demanding that passwords be updated regularly, making them less intelligible and harder to recall. Most people dutifully comply with the digital request, but the question remains: Is any of this password policing really protecting us?
Case in point: The latest large-scale cyberattack is a “worm” that moves from one computer to another, shutting down hard drives and demanding a $300 ransom payable in Bitcoin. (Figure that out, technological neophyte!)
The worm exploits a code flaw in Microsoft Windows (what else is new?), so Apple users are safe. In addition, the flaw has been patched in a recent version. So those current on their software updates won’t be affected, either.
Yet it has spread like wildfire through business networks, targeting large scale oil and gas producers in the United States and Europe. It has been relatively self-contained in the companies it targets.
I WannaCry when I think of how many times I’ve changed my password
Unlike an earlier attack called “WannaCry,” this version doesn’t seem to be running scattershot across the internet as a whole. It also seems to be aimed more at doing damage than getting money. After figuring out what Bitcoin is, if you end up trying to pay the ransom, you’ll quickly discover that the email address to do so isn’t valid. So it’s not a particularly effective fundraising device.
All that being said, if you’re in one of the targeted companies, regularly changing your password isn’t going to help. The virus doesn’t try to attack to individual accounts. Instead, it exploits a backdoor weakness that has nothing to do with passwords. Indeed, this appears to be the case with most large-scale viruses.
This is why almost all of the high-profile security breaches making headlines in recent years has very little to do with whether or not you password had a number, an upper-case character, and an asterisk embedded within.
This password hysteria is worse than useless: It’s wasting time and money. A 2014 survey by Centrify found that “passwords are a significant liability for employers: they cost them real money in lost productivity, while also putting their data at risk due to employees’ poor password management practices.”
An average company with 100 employees wastes about $42,000 per year through people trying to recover lost passwords. In addition, they’re actually putting company data at risk with the way they use their passwords. (Think of all the Post-it notes you have used to “remember” every unintelligible new password you’re been forced to remember.) It’s time to put the paranoia about passwords and cybersecurity in check, and focus on solutions that pass a rational cost-benefit analysis.