Why we need a reality check on passwords

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.net-security.org/article.php?id=2445

Given all the recent and historical news on data breaches of personal
e-mail accounts, social media accounts and even phone account passwords, it
is every wonder therefore that we are still using password combinations
that are incredibly easy to guess.

Typically most users will maintain a single password for almost all sites
they access. Passwords such as these are dangerous because they are the
first attempted combinations in the arsenal of attackers brute-force access
tools.

The challenge is that cyber criminals are well aware that many of their
targets still fail to employ a strong password policy and as such will
“pre-load” their dictionary attacks for brute-force access with the
combinations listed; which in turn means almost instant access to a
substantial number of users personal data. If an attacker can compromise
even a single password from a user, it can mean “carte-blanche” for access
to other sites and systems thereafter.

It’s clear that the strongest security controls rely on good password
strength and regular changes; which if followed well, can often be the
Achilles heel in attackers continued access to systems.

The reality we face in today's threat minefield is that human error is the
highest contributing factor as to why threats both exist and attackers
succeed in exploiting their targets. Bad actors (hackers) are well aware
that we are only as strong as our weakest link; this is why they have
increasingly turned their focus to the tried and tested method of social
engineering, including brute force attacks against systems and servers
protected by weak passwords (or in far too many cases default ones defined
in user manuals).

Unless you are in a position whereby you can store all your personal data
offline of internet/cloud based services (which these days is practically
impossible, given information held about individuals for banking,
government and e-communication purposes), then your approach to better
security should start by better education on what you can do to limit your
exposure to threats or data-breaches and working to ensure that your most
sensitive data is stored offline and not available on public hosted/cloud
networks.

Unfortunately however, even with complex passwords we are almost fighting a
loosing battle; this is because cyber criminals can access botnet
ecosystems to crack encrypted files or password protected data (through
hashes of the password, or direct brute force attack) or make use of
underground “cracking rigs” that use GPU’s Processors in rigs that can
quite literally attempt billions of combinations per second. This means
your average 8 character password (mandated by many online systems today)
can be cracked in days.

A great deal of research has gone into the minimum password length
recommended; all users should be choosing passwords of at least 12
characters (alphanumeric with special characters) that are completely
random and that would challenge even the most sophisticated decryption rigs
for service out there on the cyber criminal underground.

Regardless of the level of technology implemented to protect networks,
systems and applications, if users share information they shouldn’t
(passwords, account details, corporate data or personal identifiable
information) or click on links that re-direct them to malicious malware
then it makes things a great deal more difficult (albeit not impossible) to
adequately protect ourselves in this insatiably online world.

Keeping local security applications up-to-date and implementing programs
that can inspect the links embedded in e-mails or social media messages for
known malicious sources in a good step in assisting us with identification
of potential harmful communications; however the “keep it simple”
methodology in all online security endeavours will always provide a high
level of personal protection against the latest scams.

Overall there are two approaches to protecting your data; first is access
to data stores (e-mail, social media, online file sharing) with a minimum
of 12 character passwords and second, encrypted key data files with strong
cipher algorithms. In the end, you want to make the cost of accessing that
data far outweigh the value of it, or at least provide a level of assurance
that by the time it could be theoretically accessed, it is no longer useful
to the source that exfiltrated it. However even if you fail to do any of
this, don’t make cyber criminals job any easier by choosing easy password
phrases.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
Need access to data breach details or alerts when new breaches happen? Risk Based Security's Cyber Risk Analytics 
portal, fueled by the RBS breach research team, provides detailed information on how data breaches occur and which 
vendors to trust. Contact us today for a demo.