Post-it passwords

For many, creating a password starts with something easy. A pet’s name, a birthday, some even simply settle for the simple “password.” The truth is, any easy to remember password is likely easy to guess. And if you ever share it with a co-worker, or a third-party vendor it becomes even less secure. [Note: we would like to encourage you to never do this.] Whatever the case is, passwords are often written down as a way to give someone else access to an account or to remind yourself of a new or recently changed password. Thus begins the paper trail. An insecure password posted on the wall is bad enough; what if you’re being interviewed for TV and your password is in view of the camera? Good news! You have just granted access to that account to anyone who viewed that video.

Specifically for organizations that deal with third-party vendors, making sure passwords are unique and not being shared is vital for the success and security of both the enterprise organization and their vendors. Unauthorized individuals look for the easiest way to get onto a network, and frequently it is a vendors access to a larger organization because of a weak password. That isn’t always the case, though, since many well-known companies have leaked passwords that are just in the background of an interview or picture. Remember, your password is only as secure as the sticky note (index card, monitor, or whiteboard) that it’s written on.

Lights, Camera, Hack-tion

At a French TV station called TV5Mode, the journalist David Delos was being interviewed about his frustrations with the attack on the French news program. The news station was reporting on a cyberattack that had happened the day prior. While being interviewed, login information and passwords for Twitter, Instagram, and other sites were seen in the background scribbled onto sticky notes. One of the passwords was deciphered as “lemotdepassedeyoutube” which translates into “the password of YouTube.” Meanwhile, in the U.K., another password found its way onto the airwaves. Simon Parker, an emergency planner, was being interviewed by Sky News about heavy flooding and strong winds. Instead of using a sticky note or index card as the way to remember his password, a whiteboard in the background of his interview shows both a username and password for the world to see. For the viewers of the news, it was a weather emergency; for Simon Parker, it was a security emergency.

Post-It Passwords: Sports Edition

Sports and non-sport fans gather around their TVs to tune into the Super Bowl and World Cup to watch and celebrate. For the 2014 Super Bowl and World Cup Tournament, Wifi usernames and passwords were easily seen by viewers watching the coverage of both events. For the Super Bowl, the stadium’s internal Wifi login credentials were mistakenly broadcasted on national TV during a pregame overview. Meanwhile when promoting the security of the World Cup Final, Luiz Cravo Dorea, the head of International Cooperation at Brazil’s Federal Police, posed in front of a large whiteboard that contained the Wifi login and username. Ironically, Dorea was inside the multi-million dollar security center used to monitor cameras for the World Cup.

Post-it Passwords

In January 2018, a false alert warning of an inbound missile was broadcasted throughout the state of Hawaii that sent much of the world into an unnecessary panic. After an investigation into the situation, it was reported that the alert was sent because “an employee pushed the wrong button.” This was hard for many to believe after a picture of Jeffrey Wong, the Hawaii Emergency Management Agency’s operations officer, was taken and used for a news article in July 2017 that contained a sticky note password in the background. This sticky note password made people think that the unnecessary missile alert was because someone hacked into the system from seeing the picture and having access to the credentials. To make the situation that much worse, there was another screen in the background that reminds users to “SIGN OUT” of the computer.

Protect Your Passwords

Sure, passwords are easy to change but the fact that password leaks continue to happen shows that many organizations are not taking their cybersecurity plans very seriously. Or, even worse, they don’t have a cybersecurity plan in place. Beyond the organizational issue of not protecting passwords properly, the passwords themselves from these stories are weak in more ways than one. They have been posted in a very public manner. Past the obvious that each of these passwords has been broadcasted for the masses to see, but they are still posted for any passerby to see. Along the same lines, the passwords are weak because of the lack of special characters, numbers, and uppercase letters. These examples may seem extreme, but they highlight just how frequently passwords are shared with unauthorized individuals.

Moving Forward

One of the biggest issues that plagues many organizations is that people don’t take their password security all that seriously, as was demonstrated by the number of password leak examples. Organizations must continue to fight password sharing that can go on, both internally and externally. One of the best ways to do this is to implement multi-factor authentication since it requires more than just a Post-It password.