It’s Saturday morning in sunny California, but it’s raining; and, because it is raining, the Internet is down. Since, today in my house the lack of Internet access has become the top of Maslow’s hierarchy of human needs, I drive quickly to the local cable company store to patiently wait and get a new modem — I have never done this before, and I have strict instructions from my son to not mess around with the internet, but to follow the instructions and get it up and running — the Clone Wars on Netflix needs to be watched!
So, with a new found purpose and strict directions to “follow instructions,” I end up getting the Internet working, but I end up being very discouraged too. Let me explain why this is:
Firstly, the #1 leading point of attack is compromised identity — and as security professionals, we all all know we need stronger passwords — especially ones with Multi-factor authentication involved. But here I am connecting up my modem and following the instructions that 99% of consumers would follow and intrigued to see if we are taking password management seriously and making the right attempts to educate consumers.
I open the box carefully, open up the great getting started booklet and think to myself, “Will it be on page one?”
But it isn’t, and it is not on page two, either, since both only contain, “What’s inside the kit” and “Plug-in and power up.”
On page three, I am told to “find the sticker” showing the default SSID and password on the modem. There is nothing about remembering to change to the default password.
With page four, I am still hoping it is will be in the booklet… I open up a browser on my computer, and… I’m activated.
My house is now calm and the subject of food is now the priority.
This is amazing — 99% of consumers probably get on with their lives and let the default password remain. What consumers do not realize is that hackers can find out the default password or they will already know the algorithm that was used by the cable company to create it. With all the news in the market about identity theft, here we are with a default password. I turn some more pages, and here’s what I find:
Okay…don’t get me wrong, there are lots of things that go wrong here — that’s why the cable man exists. But, how many consumers are going to change their default passwords? Surely we could have done a better job. When I received this box from the cable company, it could have configured with a personalized SSID and password during the provisioning process, or, more simply, there could be a massive “DO NOT CONTINUE” sign to remind the consumer to perform the additional step. But, no, none of these things happened.
This is a lesson for all of us. We talk security and we know the #1 point of attack is compromised identities, but our major access point in the home is totally vulnerable — it is no different from enterprises that put themselves in a high risk situation due to weak passwords, shared passwords, no SSO, no MFA and too much privilege.
We need to do better, both for consumers and the enterprise.