You may have heard that today, May 3, has been dubbed “National Password Day”. So, you’ll probably be seeing lots of tweets and updates in recognition of this special day. Personally, I think it’s a little sad that we need a day to highlight the fact that people should spend a moment thinking about passwords. But that’s not the main issue I want to discuss in this issue.
What’s REALLY sad to me is that there are so many SMART devices that have literally been built with weak passwords that you can’t change. This is a very immature and dangerous product design flaw, considering how attackers are now focusing on millions of unprotected devices exposed to the Internet, many of which can never really be secured.
There is currently a debate in the security industry about whether forcing or even recommending that people change their passwords regularly is a smart approach. The reason is that there are some undesirable effects from forcing people to change passwords regularly.
Mostly, it’s due to the fact that people will run out of passwords they can easily remember. So, they will likely start writing them down, or using the same password everywhere, which are probably worse than having unique, strong passwords or pass phrases (extra long passwords with spaces included). Here’s an article that discusses this debate.
But regardless of whether you think today is a good day (or any day, in general), to change passwords, there’s one good reason to change your password. Here it is.
Change the passwords on any computers or devices that come with “Default” passwords already set. For example, in older computers, when you first started them up, the first account created was probably called “Admin”, and it may have had no password associated with it. This was for convenience to the person setting up the computer.
Now, most new computers force you to choose an account name and a password. This is better because it’s not nearly as easy for attackers to guess the Admin account password.
In a recent interview with Rebecca Herold, my podcasting co-host Tom Eston covers the risks around devices with default passwords, which are now actively being attacked by nation-states, likely in preparation for something big they have planned in the future. (NOTE: I was also on Rebecca’s VoiceAmerica radio show this week talking about Honey Sticks! Here’s the link to that show.)
So, any device that connects to your network in any way, from light bulbs to refrigerators, to door locks and security cameras, may have an account that you need to log into, in order to configure it. Today, you should make sure you have changed all of the default passwords for any devices that allow it.
For devices that have “immature” product security architectures, and do not allow you to change their passwords, please replace them ASAP! This is likely the biggest target for anyone from hackers in Russia to nosey neighbors close enough to see your Wi-Fi network, with potentially direct access to the login screen of your devices. If they can access your device using the default password, they can probably take over the device and run amok in your newtork, stealing data or weaponizing your network to attack others.
So, that’s why I’m saying that some SMART devices won’t be celebrating World Password Day. This is because passwords apparently mean nothing to them.
Individuals: Check all of your home’s SMART or connected devices, including entertainment systems, security systems, and even kids’ toys. Change the passwords today, or break them into tiny pieces. (If you do this, please send me a video of your children watching. Its for the own good, of course! Just kidding. But I know a few people who will literally consider doing this.)
Employees: Let your manager know if you think there are smart devices in your office that should have their passwords and account access reviewed. It’s also very important not to try to connect any of your personal SMART devices to your office’s network in any way. Talk to your manager.
Managers: Do a full audit of your network’s connections, and check logs to see what devices are being accessed, or trying to access your network. Identify which ones have admin passwords, and make sure they are all strong, and changed from the default. Any that use weak or unchangable passwords, or insecure protocols to communicate should be replaced with something stronger.
If you would like to discuss how I can help your team understand the risks related to passwords, please let me know.