The 1980’s Just Called…
They want to tell us about the problems with passwords.
In the Summer of 1993 I was in my early teens and I was spending most of my summer holiday playing Ski Free on my Commodore 64, which was my second choice having broken my third joystick in as many weeks trying to run the 100 meters on Daley Thompson’s decathlon.
My dad had just got a job with an Insurance company based in Surrey, who sent him home with a fancy 3 in 1 thermal fax machine from which the paper used to pile up on the floor when he was out at meetings, and then turn charcoal black in the afternoon sun making the entire thing unreadable by the time he got home. He was also given an IBM 286 running DOS 5, and Wordperfect. I think it was around the time that I wrote my first batch script using an ASCII art menu, and also when I first used the wordperfect “classic” keyboard shortcuts that means I have never found using VI difficult to navigate – but this is not what this blog post is about…
So what is this blog post about? It was then, back in 1993 when I first became aware of the problem with passwords. I was old enough to watch the 1983 classic film wargames, where a young Matthew Broderick’s character uses an acoustic coupler to wardial NORAD. He then used basic open source intelligence techniques to guess a simple password and then accessed a system used to simulate nuclear attack, thinking it was a game.
If you haven’t seen the movie, after starting the “Global ThermoNuclear War” simulation, NORAD believed they really were under attack from the Russians and started the process of readying their own nuclear arsenal to retaliate. In 1983, passwords were a problem and even Hollywood knew it, and were making films about it.
Ten years after wargames was released, my dad’s new employer obviously had a forward thinking IT manager, because he or she was also worried about password security and issued my dad with a 2 factor authentication token that looked like a thick credit card and had to be used when he needed to remotely access the company system. I remember clearly watching him with fascination as he logged in, and explained that without the code on the screen that changed every 30 seconds he would be unable to access the system. Password problems were identified and solved by a Surrey based insurance company in 1993, and a teenager was educated on the problem with passwords and one of the solutions.
It is now 2018, some 35 years after the release of wargames and guess what… passwords such as “Joshua” are still a problem (the master backdoor password from the film if you are wondering). They are being compromised and used by cybercriminals at an astonishing rate, and it really is disturbing to see the volume we see here at Threat Status every day.
Two factor authentication is still not widely adopted, and I would argue that the adoption of “cloud” technologies and their associated muddle of optional 2fa or social logon solutions has meant password reuse is growing exponentially. Simple passwords that are reused on multiple systems are rife, we know because we help customers find them when they have been leaked. I’m not claiming we are close to accidental ThermoNuclear war, but corporate systems and corporate users are being attacked because of a problem for which we have many solutions.
The 1980’s have called, they want to know why we haven’t sorted this out yet……