Hands protecting a digital lock showing password security on World Password Day

World Password Day: Why the Best Password Is No Password at All

The coronavirus pandemic is the perfect storm for hackers and worst-case scenario for business. More remote workers, more connected devices, and more risky connections present a dangerous combination for business attempting to weather the public health emergency. Indeed, the very changes brought on by the “new normal” favor an online environment in which hackers, scammers, and spammers thrive.

Every country in the world has seen at least one COVID-19 themed attack with, at times, devastating effect. For example, one of the Czech Republic’s biggest virus testing hub suffered a ransomware attack in March that disrupted operations and caused surgery postponements. Today, there is a clear and present danger when it comes to cybersecurity – and this is only amplified by the proliferation of cheap connected devices.

Internet of Things devices may be more numerous than ever before but that does not mean they are safer. In fact, the industry status quo prefers minimal cybersecurity standards that jeopardize sensitive company and customer data. Let’s explore why today, on World Password Day, even the strongest possible passwords do not guarantee your data from falling into the wrong hands.

The problem with passwords

One email address with one password is certainly easier for users to remember, but it is also easier for hackers to beat. Simple seven-character passwords can be cracked in a matter of minutes, rendering them almost as ineffective as no password at all. Security for many of today’s connected devices, though, continue to rely on single-factor authentication, and this is a problem in of itself.

For example, previously compromised email addresses and passwords recently allowed hackers to access Ring devices. The hackers then used the cameras to tease children and hurl racist insults. Arguably more alarming than the taunting of users is the tracking of users. Connected devices have the ability to capture many data points in a personal or professional setting and this makes their hackability all the more worrying.

Further, most companies do not have the ability to determine whether their devices have been hacked. A report of companies which use IoT technology in their workplace found that about half do not have mechanisms in place to detect if any of their devices had been undermined by bad actors. Thus, most connected devices today rely on user action to bolster security. Inaction, on the other hand, essentially opens the door for hackers to view the cameras and listen to the microphones of devices in the home and the office.

Extra layers, extra security

Both consumers and companies must consider their privacy when using contemporary connected devices. If business owners, for example, want to continue using devices in critical contexts then they must act accordingly to protect themselves. Today, there are plenty of user-friendly ways to do this.

The first, and likely the best way, is to remove passwords altogether. This can be with Public Key Infrastructure (PKI), which uses asymmetric cryptography to create an initial trust setting between the client and the target device. The generated key is simply installed to the device to replace any “password” and grant authentication. This is another form of single-factor authentication, but one which renders brute force attacks infeasible.

The second is to customize default settings. Cybercriminals already know the default passwords that come with many IoT products. Users, if they still want to use passwords, should at least change the key access phrase into something made up of letters, numbers, and symbols.

Better yet, tailor the device connection. Many devices use cloud connections to relay commands. All the data is thereby kept on a third-party server which is susceptible to outside forces. Installing a peer-to-peer connection removes this danger by establishing direct communication between device and receiver.

The future of passwords

The IoT industry is being asked some tough questions. Some critics submit that if you cannot build a secure connected product that is private by design, you should not be building the product at all. The persistent and continual security faults in connected devices, however, is not preventing mass uptake inside the modern workplace and modern home.

Connected devices, when used correctly, deliver business value in the form of competitive advantage, positive digital disruption, and flexibility. Fallible devices, however, can ruin livelihoods. For example, digital incidents cost businesses of all sizes $200,000 on average, with 60% going out of business within six months of being victimized.

It is incumbent on the user to ensure they incorporate strict security protocols with connected devices. Passwords alone are not enough to protect cheap products and users would be foolish to think otherwise. Rather, users are best to incorporate additional security layers and cryptographic keys to bolster their cybersecurity.

This World Password Day, remember that device security starts with you. This quasi-holiday, which is celebrated on the first Thursday of May, serves as an important reminder that the need for solid passwords and improved cybersecurity is absolutely critical. Perhaps now more than ever, users need to take digital defence into their own hands – before it is too late.