Welcome to 1987. The big music hits for the year were Bon Jovi’s “Livin’ on a Prayer” and “Faith” by George Michael. Depending on your age, you remember these songs like it was yesterday; you thought the music was too loud and crazy; or you think of these songs as a lesson in music history.
Pluto was still a planet and the United States of America still had a manned space shuttle program. Then there was the attack on Planet Druidia. Lord Dark Helmet was sent by President Skroob to steal the valuable air from Planet Druidia. If I am not bringing back any memories (recent or ancient) you still have not seen Mel Brooks’ “Spaceballs.”
For me, “Spaceballs” was a life lesson. It taught me that only idiots would use 12345 as a combination to secure their luggage. (Quoting Lord Dark Helmet, “So the combination is ... one, two, three, four, five? That’s the stupidest combination I’ve ever heard in my life! The kind of thing an idiot would have on his luggage!”) After all, 12345 was the combination that unlocks the defense shield for one of the most prized assets on Planet Druidia.
But a quick glance at a recent password usage analysis conducted in June 2011 shows that we’re still stuck in 1987. Earlier this year LulzSec obtained and posted password files related to a multitude of Sony consumer platforms.
And guess which password showed up in the top 25 most used password list? You were almost right! The answer: 123456. So since 1987, as a collective society, we have matured to a level of adding one additional character to the infamous 12345 password. I theorize that the reason why we have gained the power of an additional character is because a few years ago, most organizations increased their password length requirements to force a six-character minimum password length for non-administrative user accounts.
As a society, we are good. We adapted to the new requirements for password creation immediately and added the next logical character. Done!
I hope that your organization has elected to enforce password complexity and reuse requirements along with minimum length to mitigate the 1987—I mean, 2011—mindset. While it is easier for users to adapt to more stringent password controls using a computer, it may be difficult to adopt these habits on certain mobile devices. So do not just blindly apply your password policies to mobile devices without considering the mobile platform and use case scenarios.
On the next rainy weekend, curl up with your iPad or favorite Android tablet and watch Spaceballs. You will enjoy a dose of over-the-top humor and antics, along with a lesson in cybersecurity.
ben halpert, cissp, is the director of information technology risk management and compliance at McKesson Corporation. He is the editor of Auditing Cloud Computing: A Security and Privacy Guide and the founder of the nonprofit Savvy Cyber Kids, teaching our youngest learners appropriate bullying responses along with safe and appropriate use of technology before they go online. Comments, questions, and requests can be sent to him at firstname.lastname@example.org; please include SECURITY in the subject line.