“What Was Your Password?” — The Rampant Victim Blaming in Cyber Security
In April 2018, I was a victim of hacking.
As you can see in the image, the perpetrator made it a point to taunt me about the fact that he/she used their “know-how” to crack my password and overtake my gmail account.
In addition to the stress of cancelling and re-establishing all of financial and non-financial accounts, I felt violated, angry, afraid and helpless because the perpetrator was not someone I could identify, and I did not know where to go for help.
When I shared this incident with a friend who worked in cybersecurity, the first response I got was, “How strong was your password?”…which was less than helpful.
Of course, I blamed myself…at first.
View the video, “Victim of hacker “terrified” by identify theft”
Victim Blaming
The term “victim blaming” is widely defined as “…a devaluing act that occurs when the victim(s) of a crime or an accident is held responsible — in whole or in part — for the crimes that have been committed against them”.
Above, is the image of a UK government poster that ran in 2006 and sparked outrage after ‘shifting the blame’ onto rape victims if they have been drinking.
The black-and-white alcohol awareness poster features the image of a rape victim crying on the ground, with the slogan: ‘One in three reported rapes happens when the victim has been drinking.’
As you can see, someone took the liberty of correcting the original poster.
I’m not going to get into correlation vs. causation, but I will say that mistaking correlation for causation has created a plethora of false arguments, from the benign arguments (e.g., people who eat ice cream are more likely to be attacked by sharks) to the potentially life-threatening (e.g., vaccines cause autism).
And we can add to that list of false arguments,
“A weak password is the cause of a cyber attacks”
Are Passwords Really Weak?
“Weak” passwords are here to stay for two primary reasons:
- The continuous evolution of password cracking technology, &
- Human nature.
Evolved Password Cracking Technology
A very interesting conversation on Stack Exchange suggested that Hashcat, a free open-source tool available on Windows, macOS and Linux is the best password cracking tool out there. In fact, the Cyberarms website states:
Think your 12 character passwords are still strong enough? One of the top password cracking programs can now crack password up to 256 characters! The 4.x release of Hashcat blows through the previous 32 character password cracking limit and can now crack up to 256 character passwords.
Also, a 2019 article titled, Think You Have A Strong Password? Hackers Crack 16-character Passwords in Less Than an Hour, the author writes:
A team of hackers has managed to crack more than 14,800 supposedly random passwords — from a list of 16,449 — as part of a hacking experiment for a technology website. The success rate for each hacker ranged from 62% to 90%, and the hacker who cracked 90% of hashed passwords did so in less than an hour using a computer cluster. The hackers also managed to crack 16-character passwords including ‘qeadzcwrsfxv1331’.
Human Nature
In the article 5 Reasons Relying on Passwords is a Recipe for Disaster, the author states, “…in today’s environment — with cybercrime rising and hackers beginning to use machine learning — passwords just don’t provide enough protection…”. Here are five reasons why:
- Employees reuse the same passwords
- Employees use easy-to-hack passwords
- People don’t keep their passwords safe
- Weak or stolen passwords are the top entry point for hackers
- Even your most privileged users (e.g., administrator accounts) aren’t being password-smart
It seems that relying so heavily on passwords to protect ANYTHING is a foolish security and business decision.
Passwords are a vulnerability. Period.
Lucky for us, the problem is NOT weak passwords.
Solve the Problem Where It Is
In order for a hurricane to form, at least 4 conditions must come together:
Warm water
Warm, moist air
A continuous pattern of evaporation and condensation, and
Circulating winds
ALL of these conditions must be present for a storm to form.
The same is true for an online crime. A weak password ALONE does not produce a cyber crime. Several conditions must be present and there is a wealth of accountability and responsibility to go around…beginning with the criminal hacker!
To be clear, I 100% buy into the idea that security is everyone’s responsibility. “Everyone” includes:
the individual who decides to use their “know-how” to penetrate a system without permission,
the company that owns the server,
the decision-makers who own the data,
the cyber professionals hired to protect the data,
the law enforcement officials who do very little when information is stolen,
and many others.
The United Nations Office of Drugs and Crime has created an amazing module that states the following:
The burden to secure data is often placed on the individuals whose data is stolen. These individuals are informed to minimize their “digital footprint” by updating security settings on apps, websites, social media, and other online platforms, and removing and/or reducing the amount of data about themselves that they make available to others.
This victim-centred approach puts the onus of protection on the victims of cybercrime, and not the offenders and the companies whose systems were breached.
The reality is that victims cannot protect their personal data when it is “stored in and stolen from third party databases far removed from… [their] control”.
I no longer blame myself for being “digitally violated”. We all have a locus of control when it comes to how safe and secure we are in every situation…on and off line.
I now have a better understanding of where I have control and I exercise that control by making different cyber security decisions about my digital footprint.
The problem of malicious hacking involves a combination of multiple people, processes and technologies.
Finding where we are accountable in those processes, is a first step in sharing the wealth of responsibility and in strengthing our overall freedom to be secure in cyberspace.
Subscribe to my YouTube channel Person-Centered Cyber for more…
