It is imperative to put an end to accepting poor passwords

Like every year, May 2 constitutes World Password Day. And like every year, advice is pouring in asking Internet users to make an effort for their online security. For example, not renewing a password without reason, or avoiding reusing the same password.

These incentives do not come without reason. In computing, we usually say that the problems lie between the chair and the keyboard (PEBCAK, i.e. Problems Exist Between Chair And Keyboard). Clearly, the origin of a problem will rather be found in the mishandling of an individual — for example, by clicking in the wrong place.

It's the same thing in computer security. If this were represented by a chain made up of many links, the weakest of them would also be between the chair and the keyboard. However, the strength of a chain corresponds to the strength of the weakest link. The lower it is, the more likely the chain will break, despite the presence of other very robust links.

Of course, it is not always the Internet user who is at fault, but it must be admitted that a good part of the threats are directed towards him. It is he who is fooled by scams, who clicks on corrupted links, who uses the same passwords, or who has not activated double authentication. The list of dangers is long.

Once is not customary, this World Password Day will not be the opportunity to re-emphasize the responsibility of the Internet user – even if it is obviously preferable that he uses strong and unique passwords for each online service and consider using a password manager to store them effectively.

“admin / password”, this is no longer possible

For once, this World Password Day should serve as a reminder to the tech industry: you are also part of the IT security chain. Therefore, it would be nice to stop setting passwords that are far too weak as default, and replicated across all products and services launched commercially.

To put it another way, we must put an end to combinations like “admin / password” or anything that involves sequences that are far too basic. We think of “123456”, “azerty”, and other horrors of the same ilk. To this, we can add another instruction: passwords under ten characters should also be rejected.

This is not to say that the entire tech industry is lax in this area: companies in the sector have already taken steps to avoid generating overly basic default passwords at the time of sending products to customers. Same when registering for a service on the internet: certain codes that are too bad are refused.

An avenue to consider for inspiration from a very recent legislative initiative in the United Kingdom. Since April 29, the country applies a new law intended to strengthen the protection of Internet users against the risk of hacking and cyberattacks. In our sights, connected objects, by setting minimum security standards for them.

“ The new regime prohibits manufacturers from using weak, easy-to-guess default passwords, such as 'admin' or '12345', and if there is a common password, the user will be encouraged to change it when the engine starts », Explained London, in a clear desire to eliminate the use of passwords that are too simple to guess.

To illustrate what is at stake, the British government cited the Mirai malware, which caused a lot of damage in 2016. At the time, the attack also took advantage of insufficient security thresholds in certain connected products, with couples usernames and passwords like “ admin/pass ” Or ” root / root “.

Thus, London recalled, 300,000 smart products were compromised during the Mirai attack due to weak security devices. This then allowed it to be used to attack major online platforms and services, knocking out the internet across much of the US east coast. All because of a weak combination.

The new text, which requires manufacturers to raise the level of safety, is according to the United Kingdom a world first for a country – even if there have been previous and more local initiatives, notably in California. On the other side of La Manche, this project had been in the works for several years.

The best password managers