So simple, even the CEO can do it
Once upon a time, I used to be able to do useful things. As a CEO I have now forgotten how to do anything useful, except asking other people who still know how to do useful things, to do them.
I was recently reminded that I used to know a bit about hacking. So, when I discovered that a password of mine that I thought was reasonably secure (10 character, uppercase, lower case and special characters) had been breached super quickly I decided I needed to take myself back to school. I learnt password cracking about 15 years ago and the highlight of that experience was cracking the common local admin password of a big defence contractor. It took nearly two weeks and used an embarrassingly large amount of electricity. There are better ways of heating your house, though few that are so satisfying.
When I broke that first password it was done by ‘brute-force’. A process where you essentially try every possible password to see if it works. Computers are pretty good at this. In 2005 my PC could try about 5,000,000 passwords combinations a second. Seems like a lot but a 10 character complex password like my recently broken one could have approximately 60,000,000,000,000,000,000 combinations.
In the last 15 years things have changed. PCs have got much more powerful and you don’t use your CPU to crack passwords any more, but rather a graphics card which is much, much faster. I can now get 840,000,000 tries a second using not very special hardware. But even at that speed, with so many combinations, it’s long hard work to try every combination. And this is where my eureka moment came. You don’t have to try every possibility, because like almost every human being, I am flawed and utterly useless at remembering random passwords. Any reasonably short and memorable password has probably already been cracked and the result published. You can just look it up! Try and make it more difficult with an initial capital letter, so does everyone else. Add some numbers at the end? Yes, everyone else does that too. Going to add a special character. Don’t use a _ or a – because they are the most common.
If you can remember it, it’s probably useless. A few days ago I sat down with a list of 1 billion of the most common passwords that I found on the internet. Then I took half a million encrypted passwords from LinkedIn (that were leaked in 2016) and asked my computer to try the combinations from my passwords list against the encrypted passwords. It took about 10 minutes. Not to break one of them, but to break all of them. This isn’t really a surprise because passwords from a breach as big and well-known LinkedIn are likely to already be in the public domain and thus on my list of common passwords.
Passwords suck, but people suck more. In 2018 the most commonly used password was 123456. In 2013 it was 123456. We don’t learn. 4% of all passwords are still 123456 where complexity or length aren’t enforced.
What if you have a great, complex, long and frankly amazing password? Its only any good if you don’t share it. A 2015 study by Intel found that only 65% of people could identify malicious ‘phishing’ emails designed to capture their personal data. Only 3% of people in the study identified all 10 of the test emails. That great, complex, long and frankly amazing password you had – you just gave it away. And now it’s on the internet for everyone to see. Just like mine.
We don’t need to invent a better password; we need to invent a better human.
Giles Letheren – Chief Executive Officer
I am not a morning person, so the alarm going off at 5am was properly unpleasant. Within the hour I was on my way out to sea with 3 other civilians and a couple of dozen professional sailors. As signatories of the Armed Forces Covenant Delt have long supported both former military personnel and reservists and we’d been invited to join HMS Albion for the day. As part of Flag Officer Sea Training the crew of Albion had spent the previous four weeks training, not just for everything that could go wrong but for when it all goes wrong at once. Today was exam day where all the practice was going to be tested.
Arriving on board to hear a warning of mines would have been truly alarming if it hadn’t all been pretend. It didn’t feel much like pretend though. The crew had been up for hours at ‘action stations’ and were all wearing anti-flash gear and looking serious. Albion was surrounded by a number of smaller ships, apparently protecting us from a marauding submarine. On a fairly regular basis throughout the day, bad things happened. The warning of ‘brace, brace, brace’ results in everyone grabbing hold of something. I caught myself hanging onto a desk despite knowing there wasn’t actually going to be an impact. There were fires, there were floods, there was the constant threat of incoming missiles (which were fast jets pretending to be missiles). Helicopters came and went. Everyone stayed calm. At one point the Bridge was on fire, and evacuated. Everyone seemed to know what to do. It was astonishing to watch a team who all knew their role, whatever was thrown at them. The only degree of stress I noticed all day was a sailor swearing (rather quietly) when he found the route to his destination blocked yet again by fire. ‘Running out of routes…’ he added as we watched and then stepped through the door he had avoided. Fire apparently doesn’t prevent VIPs from getting to lunch. However, passageways were full of fake smoke, which is disconcerting. More so when all the lights go out. That makes it difficult to see the ‘injured’ sat on the floor in corridors. They always apologised nicely if we stepped on them.
Rather than a silver service lunch in the wardroom we joined the rest of the crew in ‘Action Messing’, which is how you feed the whole crew when in the midst of battle. 25% of the crew are fed at any one time, you have seven minutes to collect your food, eat and clean up and then it’s back to work. We were done in just over six minutes. In eating at least, we could keep up with the best of them.
After lunch things got properly serious. We watched from a location that manages damage control. There was a big display showing all the decks of the ship. Anything in red was on fire. Anything in blue was filling up with water. Almost constantly, alarms were going off identifying some other problem. The display got more red and more blue. Everyone was calm. The lights went off again.
To cut a long story short, we didn’t sink or stay on fire. I didn’t fall into an open hatchway or get wet whilst testing my non-existent night vision by stepping off the side of the ship whilst boarding a landing craft, in the pitch black. The ship achieved its mission and dispatched Royal Marines by landing craft and helicopter. It was a genuinely impressive display of people working together and I was left thinking about what lessons the corporate world could learn from the way we train our military. The thing that surprised me most was that throughout the day I never saw anyone ask anyone else what they should do or if it was ok to do it. They simply informed others what they were going to do. Lots of information was communicated and constantly filtered. If it didn’t impact the mission the Captain didn’t need to know.
This level of confidence and trust is something I haven’t seen in business. We could learn from this. In my world you often find that everyone wants to know everything, but in the midst of battle, this crew were only concerned about what they needed to know to do their own job. The absolute focus on mission, which is perhaps more common in the corporate world was as elegant as I’ve ever seen. Many corporate management teams would benefit from seeing this sort of real teamwork.
It was both an honour and a privilege to spend a day at Sea with the Royal Navy and I’d commend it to anyone who gets the opportunity. I’ve tried to lead my life in a way that results in people shooting at me on a very irregular basis but I do know that if I ever find myself in a sticky spot and in need of rescue – of anyone in the world I’d want the British Armed Forces to be the ones to come get me.
Giles Letheren – Chief Executive Officer
Over the last couple of days I have been thinking about truth, lies and the Delt value of ‘Transparency’. The only way to be truly transparent as an individual would be for everyone to be inside my head. Trust me, that would be a disappointment. Corporate transparency is not that different. Unless you sit at every Board meeting, every meeting of my leadership team, every conversation about any opportunity, change, decision or process then there is always part of what is going on that will be opaque. What we see is filtered and in more ways than we think.
I understand the human eye captures about 10 million bits a second, roughly 10 Mb/s – or twice the speed of my Cornish superfast broadband. The average human brain can process roughly 50 bits per second. That’s some serious filtering/compression going on. Just for our brain to work, we filter out the vast majority of what we see. Add to that what we feel, taste, smell and the compression gets even more impressive.
If you apply this sort of maths to humans doing anything complicated it’s both fascinating and alarming. How about something complicated but common, like driving? If you are a Tesla Model S, this requires a GPU capable of processing of 36 Trillion bits per second. And a second GPU, just in case the first one fails. It’s no wonder I am so bad at driving.
My point is that everything is always filtered. Nothing is ever truly transparent. In the corporate world, transparency is just as impossible. There is just too much information. We make decisions all the time about what we think matters and should be shared vs what doesn’t and isn’t. I love our value of transparency but it’s aspirational rather than ever truly reachable.
‘Not lying or effectively lying through omission’ is probably a more deliverable value but it’s just not as catchy. So, we will continue to try to be transparent and always be honest. Given that vast array of untruths we are presented with daily, which some call marketing, political messaging or even just alternate facts, we are already surrounded by lies. I and Delt don’t need to add to that. We have to filter but we should never have to lie. To quote from the fantastic Sky Drama ‘Chernobyl’:
We’re on dangerous ground right now, because of our secrets and our lies. They are practically what define us. When the truth offends, we lie and lie until we can no longer remember it is even there, but it is still there. Every lie we tell incurs a debt to the truth. Sooner or later, that debt is paid.
Giles Letheren – Chief Executive Officer