October 2024 marks the 21st Cybersecurity Awareness Month – four weeks of themed activity designed to raise awareness of cybersecurity and the importance of staying safe online. For 21 years, this annual event has exhorted people and businesses to take steps such as setting strong passwords, keeping software updated, recognizing phishing attacks, and other basic measures that underpin cybersecurity. Everyone knows this advice is solid. Yet more than 20 years on, millions of organizations and their employees struggle to adopt it.
And it’s not just passwords and patching, humans have an unerring ability to ignore other technical advice even when they know it’s right. Perhaps if we understood why, we could more clearly see our way round the password paradox.
Tech advice we love to ignore
1. Read the manual.
Research has shown that fewer than 25 percent of people ever read the manual or instruction guide that comes with a new device or application. It concluded that people are increasingly impatient and prefer to explore on their own and learn from mistakes. Most gave up after a few minutes. Other research shows that 95 percent of returned products work fine.
2. Deleting an unwanted app from your phone may not solve all the issues.
Simply deleting an app won’t necessarily delete any personal data it holds or unlink you from any other accounts you’d connected it to, such as a social media account, or remove annoying adware you installed along with the app – to do this you need visit your app store, locate the application, clear the data and cache, and then uninstall the app.
3. A simple, user-friendly device will be used more than a complex one with loads of functions.
All those new features and buttons on the latest model are terribly tempting – but you may barely use or benefit from them because of something called the “Choice Overload Effect.” This effect is best illustrated using jam.
A famous Columbia University study found that when customers were offered 24 jams to sample, only 3 percent of them bought a jar, while when they were offered 6 jams, 30 percent made a purchase. Too many options lead to choice paralysis.
4. Doing the same thing over and over won’t fix the problem.
We’ve all been there, hitting the refresh, restart, or reload button repeatedly in the hope that the problem will, this time, magically disappear. It won’t. But the more frustrated we get, the more we are likely to continue. We could have spent all that time and energy on finding a proper solution.
5. Set a decent password.
Your passwords are the keys to your online assets and data and those of your employer – so why wouldn’t you want a strong, unique, hard-to-guess one? The reality is that simple passwords are easy to remember so we like them, while complex ones are secure but easy to forget and then you’re either locked out or must jump through hoops to think of and set a new password you might just remember this time. All of this is a chore.
A recent report shows that while 91 percent of respondents claim to understand the risks of reusing passwords – 59 percent admitted to doing it anyway. Many people aren’t much better at work – when charged with a forced password reset, nearly half (49 percent) simply added a digit or character to their existing password.
What’s wrong with us?
The list above provides a snapshot of human technology interaction that looks a bit like this: We want things to be seamless, plug-and-play, and intuitive, with enough choice to add value but not so much as to paralyze decision-making. And for all the tricky stuff and hard work to be handled in the background by something or someone else. The requirement to create and set unique strong, complex passwords for every account doesn’t really qualify – and a recent survey found that two-thirds (65 percent) don’t trust password managers.
What a poor password attitude means for employers
Compromised passwords are responsible for 77 percent of hacking-related breaches, according to the Verizon Data Breach Investigations Report 2024. What’s more, multifactor authentication (MFA), designed to strengthen access controls is now being targeted with some success by attackers using techniques such as MFA fatigue.
Let’s pause for a moment. After decades of warnings, people still aren’t routinely implementing strong, unique passwords. Furthermore, password-based authentication is no longer enough to protect identities. Perhaps it’s time to look seriously at an alternative.
“The future of authentication is passwordless,” explains Emre Tezisci, Product Marketing Manager at Barracuda. “Passwordless authentication is a way of verifying someone’s identity using alternative methods such as biometrics – fingerprints or facial recognition – hardware tokens, or one-time passwords (OTP) sent via email or SMS. Many consumer applications and devices already rely on biometrics, including some mobile phones, banking, and payment apps.
“In the business environment the journey towards passwordless may take a little longer – solutions are still emerging and not every organization is ready to adopt this approach. It’s important to continue to offer all options, including traditional logins, while helping companies to migrate towards a future of continuous and conditional access, with centralized permissions, self-service access grants and, ultimately, a secure, user friendly passwordless experience. At that point, the risk associated with using the name of your goldfish to help authenticate 20 accounts becomes irrelevant.”
Photo: fizkes / Shutterstock
