What Were You Wearing? The Rampant Victim Blaming in Cybersecurity

 

In April 2018, I was a victim of hacking. 

As you can see in the image, the perpetrator made it a point to make fun of the fact that he/she used their "know-how" to crack my password. 

In addition to the stress of cancelling and re-establishing all of my accounts, I felt violated, angry, afraid and alone because the perpetrator was not someone I could identify, and I did not know where to go for help. 

 Of course, when I shared this incident with a friend who worked in cybersecurity, the first response I got was, "How strong was your password"?  My friend may as well have asked, "What were you wearing?" 

Of course, I blamed myself...at first.  

View this video to hear from another victim of hacking.

Victim Blaming

The term "victim blaming" is widely defined as "...a devaluing act that occurs when the victim(s) of a crime or an accident is held responsible -- in whole or in part -- for the crimes that have been committed against them".

This is the image of a UK government poster that ran in 2006 and sparked outrage after 'shifting the blame' onto rape victims if they have been drinking. 

The black-and-white alcohol awareness poster features the image of a rape victim crying on the ground, with the slogan: 'One in three reported rapes happens when the victim has been drinking.' 

As you can see, someone took the liberty of correcting the original poster. 

I'm not going to get into correlation vs. causation, but I will say that mistaking correlation for causation has created a plethora of false arguments, from the benign (people who eat ice cream are more likely to be attacked by sharks) to the life-threatening (vaccines cause autism). 

And we can add to that list of false arguments, "A weak password is the cause of a cyber attacks"

Are Passwords Really Weak?

"Weak" passwords are here to stay for two primary reasons: 

1. human nature and 
2. the continuous evolution of password cracking technology.  

Technology

A very interesting conversation on Stack Exchange suggests that Hashcat, a free open-source tool available on Windows, macOS and Linux is the best password cracking tool out there. In fact, the Cyberarms website states: 

Think your 12 character passwords are still strong enough? One of the top password cracking programs can now crack password up to 256 characters! The 4.x release of Hashcat blows through the previous 32 character password cracking limit and can now crack up to 256 character passwords.

 

Also, in an article titled, Think You Have A Strong Password? Hackers Crack 16-character Passwords in Less Than an Hour, the author writes: 

A team of hackers has managed to crack more than 14,800 supposedly random passwords – from a list of 16,449 – as part of a hacking experiment for a technology website. The success rate for each hacker ranged from 62% to 90%, and the hacker who cracked 90% of hashed passwords did so in less than an hour using a computer cluster. The hackers also managed to crack 16-character passwords including ‘qeadzcwrsfxv1331’.

Humans

In the article 5 Reasons Relying on Passwords is a Recipe for Disaster, the author states, "...in today’s environment—with cybercrime rising and hackers beginning to use machine learning—passwords just don’t provide enough protection for businesses. Here are five reasons why: 

1. Employees reuse the same passwords
2. Employees use easy-to-hack passwords
3. People don't keep their passwords safe
4. Weak or stolen passwords are the top entry point for hackers
5. Even your most privileged users (e.g., administrator accounts) aren't being password-smart

It seems that relying so heavily on passwords to protect ANYTHING is a foolish security and business decision. 

Passwords are a vulnerability. Period.

Luckily the problem is not passwords. 

Solve the Problem Where It Is

To be clear, I 100% buy into the idea that security is everyone's responsibility. "Everyone" includes the individual who decides to use their "know-how" to penetrate a system without permission. 

We all have a locus of control when it comes to how safe and secure we are in every situation. The problem of malicious hacking involves a combination of multiple processes. 

Finding where we are accountable in those processes, is a first step in sharing the wealth of responsibility. 

For more Cybersecurity stories, information, and fun conversation, Subscribe to my YouTube channel Person-Centered Cyber. 

If you create cybersecurity training, want better business outcomes, and better performance at work, subscribe to my Everyone Deserves an Ypifany (pronounced "epiphany") Youtube Channel 

Want Coaching?

If you would like phone coaching and other coaching opportunities with me, schedule time here