During a session at Compliance Week Europe 2017 in Amsterdam today, Mark Johnson, CEO of The Risk Management Group, ran an interesting exercise to show just how easy it is to commit cyber-fraud. He produced an iPhone 7, and passed it around to members of the audience, encouraging them to get Siri to activate, and then ask it a few basic questions, such as โWho am I?โ โWho did I call last?โ and โE-mail my wife.โ Just off of simple questions such as that, one could learn a few kernels of information about Mark that, once supplemented by a few adroit Google searches, soon revealed Markโs full name, his phone number, his home address, a picture of his house, the name of his wife, the birth date of his daughter, and other details. All off of a few Google searches. To a dedicated fraudster, it would have taken all of five minutes to capitalize off of a lost iPhone.
Johnson then explained how passwords really work. When we use a password and submit it to a site, the site doesnโt actually get the password. The password is encrypted by one of any number of commonly used encryption algorithms that turns your password into a strong of random characters. That string is called a โhash.โ Since most people use โpasswordโ as their password, however, you can reverse engineer hashes back into their source password and, since password data gets compromised all the time, large lists of hashes can be easily obtained onlineโagain through Googleโthus showing that even when we think we have strong passwords, we really donโt. Companies can add an additional hash to your hash (known as a โsalt,โ) but even that isnโt foolproof, because those salts often can be compromised or accidentally exposed to the public. The bottom line is that passwords are essentially worthless, no matter what they are. โMixlplyk1492!โ is basically the same as โPasswordโ once the hash is obtained and reverse engineered.
