Let me tell you of an IT company. It had started off small so the director had chosen a favourite password ‘D0neit01‘
This was some time ago, so the fact that it had numbers in made it really secure. It wasn’t particularly long, but it was memorable. Much better than other familiar passwords, like ‘Password01’ or ‘letmein’.
There were five of them working for this company and they were all really good friends. Three directors and two minions. They were working with cleaning companies and whoever would take them on. They realised that their level of service was a cut above everyone else’s, so they realised they could aim higher.
With one of those flashes of inspiration that sometimes hits small companies they realised that they could start working with the finance industry. They already had some contacts in that area of business and, well, those clients had money. It was a sure-fire hit!
Success Breeds Success
A few years later and they had an impressive portfolio of clients. Around a hundred in the bespoke finance industry. Hedge-fund managers, bespoke bankers, investment companies. Their clients loved their high level of service. In part this was because an engineer visiting site knew what the top admin password would be. You’ve guessed it.
By this point about a hundred of their clients were investing more than $1B each. (Yes, 100 x $1,000,000,000 = $0.1T). Which starts to look like a significant part of the UK’s GDP.
Some of the companies demanded ’secure passwords’ with funny characters in. For those companies the password became ‘D0nit01!’. Engineers knew that if the ‘low security’ password didn’t work you could use the high security one. Simples!
One of the managers was tasked with looking for a password manager. This would be able to hold all types of password. It would be able to fill in passwords automatically. You could give different members of the company different levels of access.
It came back with a price-tag of £10,000.
That was a lot of money.
The directors were not convinced that it was necessary.
An Innocent Mistake
One day, one of the directors was logging into a client, let’s call them ‘securefinance’. Their website was ‘securefinance.com’. The director had not noticed that in their speed they had typed ‘securefinance.co’. The website looked EXACTLY like securefinance.com so why would they notice?
Over the coming months they started to notice that some of their clients were failing. In one bad incident a client lost $0.1B in a week! That client immediately started the process of winding down. It was sad – they were a difficult client, but they had been a good payer.
You are probably going to guess what had happened. That fake website had grabbed the entered username and password and was now beginning to use it on lots of websites. They were getting lucky. They were also trying password variations automatically. So they were picking off both the ‘low’ and ‘high’ security clients.
Bad Guys Collaborate
They had also submitted the successful usernames and passwords to a database that is maintained by hackers. (Yes, this really does exist.) So lots of other people were trying these passwords… but they were not using them themselves. They were getting computers infected with ‘malware’ to try them. That IS the job of a lot of malware. If the malware successfully logged in then they would update the database. If the password failed then the bad guys were untraceable. Either way the bad guys win.
By now, clients were getting picked off at an increasing rate.
It was looking very bad.
Several consequencies could have happened, including a significant impact on the UK economy, jail terms and collapse of the IT company. This is based on a true story. The directors were potentially negligent, so could have lost the shirts off their backs.
The Good News
A good password manager is available for FREE. It has greater capabilities than that old software costing more than £10,000.
There is an Enterprise version which has all the granular controls you require for a little bit more.
With a password manager, doesn’t that mean that I am committing all my passwords to a database protected with ONE password? Surely that is a really BAD idea? Yes, it would be UNLESS you set up 2 factor identification. This means that you have a code to type in that is sent to you or generated on an app on your phone in addition to the password. As a hacker will not have both access to your password AND your phone your database is safe. It is also highly encrypted and if you lose your phone or your admin dies there are very secure ways to recover the database.
Here is the manager we use: Lastpass It is not the only one out there, but it is very good. We manage more than 1,500 passwords with it. All our client’s passwords are unique, long and very complicated.
You might not be managing billions of dollars, but you wouldn’t want to lose what you have.