Does our behaviour jeopardise our corporate security?

Nowadays, the core asset of a business is its information (documentation on intellectual

property, client list, price matrix, manufacturing processes, organisational chart). The lack
of confidentiality, integrity of such information, or its unavailability, could drive away the trust
which shareholders and stakeholders have placed in the business which, ultimately, will go
bankrupt. It is therefore crucial to properly protect the access to this information.
Although most of the companies are currently aware of this fact and enforce policies and
procedures to achieve an adequate level of security, it appears that individual behaviour can
also significantly impact on our corporate environment.
This article focuses only on the access control part.
When browsing the web, we realise that we are lured by the majority of websites, and
especially those of banks, that oversell maximum security measures only by displaying a
small padlock symbol in our favourite browser. The problem resides not necessarily in the
confidentiality of this connection but in its authentication which is the keystone for accessing
our profiles and data.
I, personally, have a list of about a hundred websites (for private use only) where credentials
are needed for different types of use. The task becomes complicated very quickly, for how
can I manage this amount of data I am supposed to remember?
The access to those websites is however facilitated: none of them has a regular password
change policy in place and most of them do not even have a proper minimum security policy
(i.e. mandatory use of a combination of a minimum number of alphanumeric characters with
different case and special characters).
The management of this information reveals three distinctive behaviours:
The innocent: namely, those who have the same password for all websites. It certainly has
the merit of being a simple, easy to remember and very convenient approach. However, the
major problem, of course, is if a website is vulnerable and this unique password is revealed,
then all websites where the same password was used are compromised as well. Obviously,
the weakest link principle applies very well here and the probability of compromise is
multiplied.
The logical: they use a different password for each website but with a logical system which
allows them to remember all passwords easily. However, the problem arises when one or
two passwords have been compromised. The logic used to create these passwords can be
deduced to find the other ones or, at least, significantly reduce the number of possible
combinations to retrieve the password of a particular website.
The paranoid: they use a different password for each website, and there is no logical
system to deduce one from the others. This solution, advocated by any security
professional, is very difficult to implement due to the complex processes of memorisation it
entails. There are software programmes that allow the storage of those passwords, but this
solution greatly reduces ones mobility (e.g. the use of the same application through different
platforms such as laptops, tablets, smart phones etc.).
However, another dimension, which is the regular change of passwords, should not be
overlooked. There is distinctiveness among the hundred or so websites where I have an
account, and I do not remember any of them having implemented a policy for password
expiration, which is just as important as its complexity. Indeed, any password, even
complex, will be revealed over time by successive attempts involving all possible choices
until successful. An expiration policy avoids this type of problem.

Nevertheless, if the hundred websites forced me to change my passwords every three

months for example, it will take me, approximately 500 min (8h 20min) to change all of them
considering that five minutes per site are necessary to change a password, and this four
times a year, independently of the three behaviours mentioned above.
So we can ask ourselves if any of these passwords are actually changed by each of us,
especially considering that, on most of these websites, we do not have critical data.
It can be argued that all this is obviously the responsibility of every one of us and has no
impact on other than the person concerned. However, we cannot separate the behaviour of
individuals in their private and professional life. Hence, in spite of sophisticated password
policies in the corporate world, the innocent and logic behaviours seem most likely to
prevail.
In this case, we see that the combination of our behaviour and private accounts outside the
company has an impact and weakens the security policy of passwords no matter which way
it is implemented.
At work, however, there are mitigating mechanisms as blocking or temporary suspend
accounts after a certain number of failed attempts but no all services have this feature.
Therefore it seems that, in the short-term, developers of private websites should be made
aware of the vulnerability risk they pose to their customers/users and be encouraged to
implement a more rigorous policy or alternative technologies for authentication than the
traditional password access. But what would be the return on investment for those websites
that provide free services such as social websites and free webmail?
In addition, do our businesses need also to invest, also in the short term, in alternative
solutions to prevent the transposition in the working environment of behaviours which
weaken the access to their data?

Bruno Halopeau
05/10/2011