“Use the Password on the Bulletin Board”

Letters from the Front Blog

Emerson once told us, “A foolish consistency is the hobgoblin of little minds,” and yet we just can’t help ourselves.

Surely, no one needs more evidence to convince them that passwords have long since outlived their usefulness. While we all hold the same opinion, we still shore up our precarious and uneasy alliance to passwords with myriad password vaults and ultimately hate ourselves for doing it.

Work in cybersecurity long enough, and one begins to collect any number of stories of, shall we say, “unique” solutions? We all have colleagues with great password stories. Here is one of mine:

Early in my career, I traveled North America to install networks, systems, and servers for banks and credit unions.  At that time, the IBM iSeries (more commonly known as an AS400) reigned as the undisputed monarch of the financial core system. And while it seems like a stereotype, more than a few of the AS400 admins really did wear glasses, a long beard, and suspenders. On the other hand, all the traveling teams from our vendor, mine own included, were smack in the middle of our twenties.

We didn’t touch the big metal if we could help it, as our company employed our own beard-and-suspender army for that. Instead, we just made sure that the IBM Client Access software worked in the new environment. That usually provided more than enough fun for a week-long install.

At one bank in a sizable city, I found myself standing up servers behind a large, plate-glass window to the lobby! The management of that institution felt such pride in their technology investment, they decided to put the entire server room on display for all to see. Red velvet ropes purposefully guided everyone stepping in from the street past that floor-to-ceiling observation portal. In the middle verifying settings across their half-dozen terminal servers, the feeling of being watched would suddenly strike me. I would turn to find the faces of teens pressed against the glass or the unabashed stares of toddlers caught mid-nosepick unconcerned.

Delightful.

Halfway through the week, I discovered that the 400 network configuration denied access to our new terminal servers. No problem, this happened on about half the installs. One quick change, and we’re back in business – only that level of modification required the most powerful AS400 account on the system.  It needed QSECOFR.

As team lead, I went to my contact for the info. No problem. We returned to my open console in the server room, logged in, and then logged on (IYKYK).

“Okay,” I said, “Here’s the setting, it’s going to ask for your QSECOFR password.”

“Oh, we don’t use that one very much,” replied the person in charge of the bank’s information security. “I think Becky knows where that is.”

“That’s fine. Can we get Becky?” I said, not quite yet grasping the situation.

“She may be on break, hang on.”

I waited for a few minutes until my contact returned with Becky, one of the people whom I had seen working behind the teller line only minutes before. Becky didn’t mince words but, with a look of barely concealed derision, walked across the server to a cork bulletin board and retrieved a 3x5 card thumbtacked there.  The dogeared card had yellowed with age, but plainly visible writ large upon the front were the words QSECOFR and a short, eight-character, simple password.

I remember standing there, looking comically from the notecard in my hands to the window and then to the bulletin board across the room, in plain view of the city's entire population.

No wonder Becky looked disgusted.

Now, it’s true that bad security happens to good people. Don’t let it happen to you. Multi-factor Authentication (MFA) exists for a reason: to mitigate one of the most widely regarded security vulnerabilities in broad usage today. Even now, some bad actor is asking a Generative AI to craft a better phishing email with an even greater likelihood of harvesting credentials.

The worlds of Operation Technology (OT) and the Internet of Things (IoT) usually fare far worse in the password game. Many times, devices manufactured decades ago have no ability to change passwords or no way to enforce complexity. Perhaps the one person who knew anything about that system retired after thirty-five years of faithful service. Maybe the vendor who created that critical item either disappeared or has been acquired so many times since that the website no longer even hosts a manual for that device.

When the NERC CIP Standards were released over a dozen years ago, many IT Security organizations ridiculed their comparatively “weak” security requirements. The IT admins knew they could enforce password complexity with a few clicks of the mouse. The OT admins, however, felt immediately ill at their stomachs to think of the immense scope of password changes for thousands of small, weird, odd-ball, and potentially unsupported OT devices strewn hither-and-yon in hard-to-reach places and uncertain distances.

So, why not eliminate the password completely?

BlastWave provides Secure Remote Access (SRA) with passwordless multifactor authentication. We securely control interactive sessions from anywhere in the world, and in conjunction with our innovative network cloaking and micro-segmentation, your OT (and even IT) systems will be fundamentally more secure. 

And Becky can go back to doing her job in peace.

Have your own cybersecurity stories? We’d love to hear them! Send them to me via frontlinetales@blastwave.com