Seasonal Defective Password Disorder

Image

Another change of the seasons is upon us. An interesting correlation is that these quarterly seasonal changes also follow the password change schedule in use in many organizations. If you work in an office, you probably receive a notice to change your password every 90 days. The odd correlation of requiring a password change every 90 days in a corporate environment is that many folks need to use something that they can easily remember, and since the password change occurs about once in every season for every user in an organization, the name of the season and the current year seems like a delightfully clever choice. A password such as Spring2016 satisfies most of the “complexity requirements” in use in many corporate environments (more than 8 characters, upper and lowercase letters, and numbers). If your company also requires a special character, then the addition of an exclamation point makes your password sufficient and wonderfully optimistic all at the same time – Spring2016! Using the season and the year also satisfies the requirement of using “unique” passwords from now until your retirement party, since each increment of the year satisfies the uniqueness criteria. I hope you are not getting the impression that I am advocating this password creation approach. I refer to it as Seasonal Defective Password Disorder. One reason that this use of seasonal passwords is so problematic is due to a hacker technique known as “password spraying." Instead of using an enormous dictionary of possible passwords to try to break into an organization (or your personal online accounts), an attacker can simply use a small sample of seasonal passwords, including clever Leet-speak permutations (such as 5pr1ng2016!). The attacker runs those small selections across the entire spectrum, and achieves maximum results with minimal effort.With one password, many accounts can be compromised. Most people do not change their passwords unless they are forced to, either by corporate policy or through a breach notification. When was the last time you changed your password for all your online accounts, such as email, social media, and all your shopping sites? There are plenty of excellent articles about some of the worst passwords, and a very well-known cartoon about creating strong passwords. There are many reasons that seasonal passwords do not appear on the annual lists of worst passwords. Those “worst password” lists are not an accurate representation of passwords that actually matter to people. Most of the passwords on those lists are derived from accounts that people anticipate never visiting on more than the one occasion when forced to create an account in order to download some software or some other insignificant activity. I am confident that no one reading this is using ‘password1’ or ‘12345678’ as the password for their online banking. Perhaps the seasonal change is a good reminder to change your passwords, but please do not use the season name and year as your password. The attackers are wise to that.   Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc. _{Title image courtesy of ShutterStock}