Passwords and email will they never die?

Matt Tett

Matt Tett is the Managing Director of Enex TestLab, an independent testing laboratory with over 22 years history and a heritage stemming from RMIT University. Matt holds the following security certifications in good standing CISSP, CISM, CSEPS and CISA. He is a long standing committee member of the Australian Information Security Association (AISA), Melbourne branch, and is also a member of the Information Systems Audit and Control Association (ISACA). Enex TestLab can be found at blog at and can be found on twitter as @enextestlab.

The short answer to this problem is no. Humans are simple creatures of predictable habit.

The long answer is that many individuals and organisations simply do not know, or care about, the risks associated with using passwords and basic email systems as opposed to multi-factor authentication and encrypted messaging systems.

Anything electronic, and I mean ANYTHING, can be intercepted.

Most people like to think that their lives and day-to-day e-mail communications and applications that they use are either simply too boring to be interesting to those with nefarious intent, or they have their head stuck in the sand thinking that security by obscurity is being hidden in the billions of people who are also using passwords and email systems. Indeed many individuals may not even be aware that the sand is there to even put their head into, blissfully unaware that their “private” communications may be open for perusal by anyone with a modicum of intent.

Unfortunately for organisations, most employees couldn’t even particularly care about information security, unless it impedes them in getting their job done, and then it becomes a problem. What incentive do they really have to care about it, and how will it impact them personally if the corporate apps are breached? Most individuals would care far more about their personal smart phone, social media or banking security than their workplace electronic security.

Two bodies of work have recently been published in CSO that give some insight into these common areas of human weakness.

Email: now sit back for a bit, think about whom you email and what the content in those emails contains (also who and what is emailed to you). Now assume that the sender and recipient are not the only two individuals receiving that information but that it is being posted to a publicly accessible website for the world to peruse. Would your behaviour (and content) modify? (see the commentary by George Fong ;

Passwords: Likewise those non-human friendly password policies; no less than 8 characters, one must be uppercase, one must be a number, and one must be a symbol. Don’t forget, always use a different password for each of the number of applications that you require a password for. Change your passwords regularly (and don’t ever reuse the same password). Okay, so when a hacker hoovers up the next bunch of usernames and passwords from a site you may only be slightly affected, not totally compromised. Phew! Do you do all the above on your own without the assistance of a password management application? (see the recent review by Ashton Mills ;

It is ironic to think that the people who are jumping on the anti meta-data collection bandwagon are the same as those who rely on and use e-mail systems in their current form (i.e. without any form of encryption) and are also humans, not robots, who physically cannot comply with regularly changing different complex passwords for all their applications. If someone really wants your stuff, they will get it eventually, regardless of who that someone is.

Some circular security questions arise from chasing our tails: how does one make security systems that are both secure, and usable? Encryption is required for message transmission. Additional authentication factors are required for application access beyond the something you know password, because computers are faster than us at picking our puny passwords.

Show Comments