Do weak passwords keep you awake at night?

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.itproportal.com/2015/12/20/do-weak-passwords-keep-you-awake-at-night/

In September – as you probably read – a group of hobbyist hackers announced
they had cracked 11.2 million user passwords from the troubled dating
website Ashley Madison. Adding insult to injury, the group, called Cynosure
Prime went on to publish the top 100 passwords.

Revealing themselves as technologically inept, as well as morally
questionable, passwords included  “123456” in the top spot, followed by
“12345” and “password.” I don’t think that even more obscure ones such as
“secret” and “affair” would give your average hacker sleepless nights.

It was the same story a few years ago, when anti hacking software company
Imperva analysed 32 million passwords that had been stolen by an unknown
hacker from RockYou, a company that makes social media software. They found
that over one per cent of the 32 million people had used “123456” – others
in the top 20 included “12345,” “abc123,” and “qwerty.” Despite knowing
about the dangers – cyber crime is one of the fastest growing crimes
globally – I think people are still pretty blasé about their security.

People use passwords that are easy to remember. And they will use that
password over and over again, for personal and work use. And it is this
that causes you – the employer, the IT manager – a massive security
headache. When an employee hands out a business card with their email
address, they are effectively giving away their user name. For a hacker
with time on his hands, he might start with a “dictionary attack” –
literally sitting down and guessing what the password might be. They often
succeed because people tend to use short passwords that are commonly used.

Brute force hacks are another commonly used tactic. You might have heard
that a computer cluster has recently been unveiled that can process as many
as 350 billion guesses a second – it can try every possible Windows
password in the typical enterprise in under six hours.

More than 75 per cent of hacks involve weak or stolen passwords. In a 2014
security report, it was discovered that five out of six large enterprises
had been targeted by advanced attackers, a 40 per cent uplift on the year
before. It’s not just big companies – 31 per cent of total attacks were
directed at SMEs. So if you haven’t been hacked yet, it might just be a
matter of time.

Although you might well protect your organisation’s systems with more than
just a password (companies often use two-factor authentication tokens which
can also be hacked) many still do rely solely on user-generated passwords
to secure company systems. So for many organisations, the fact that you are
only as secure as your users’ weakest password is painfully true.

Helping to secure log ins, particularly for remote workers, can be the
first step in trying to make company boundaries impenetrable. And software
like multi factor authentication is a no brainer, particularly if there is
a remote working policy in place. It uses a number of variables to validate
a user’s identity, like their connection, their geographic location or time
of day. Each time a user logs in, a one-time-passcode is generated in real
time and sent to their mobile, making it night on impossible for hackers to
circumvent.

In a world where passwords can be as pathetically weak as “12345” and
hacking strategies are becoming increasingly sophisticated, organisations
need to be doing as much as possible to deter cyber threats.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!