Security // Compliance
News
4/27/2012
10:14 AM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

How To Hack The Password Problem

Though they are often the weakest link, passwords aren't going anywhere anytime soon. Here's how to shore up and manage your organization's passwords

The security industry has been predicting the death of the password for at least a decade. In 2004, even Bill Gates said we would rely less and less on passwords over time. But now it's 2012, and even though Google offers two-factor authentication and World of Warcraft fans can use the Blizzard Authenticator, the majority of the world still relies on a single password to protect their email, banking sites, and computers.

The unfortunate fact is passwords are going to be around for a long time. They are the basic authentication mechanism built into everything from home wireless routers to enterprise mainframes. To really get beyond the traditional password, we would need a new technology that can provide true seamless and secure authentication (and authorization) without requiring the memorization of complex, difficult-to-remember sequences of letters, numbers, and symbols.

We've definitely seen plenty of technologies, such as hardware tokens and biometrics, that have helped with the latter area (memorization), but nothing with the former. We haven't seen any solutions that have been low-cost enough to become pervasive and eliminate the need for passwords. Simply put, we're stuck with passwords because they are easy to use, easy to implement, and cost nothing--except for the inherent risks that come with using something so easy to steal.

In my personal experiences performing penetration tests and responding to security breaches, I see a clear pattern of common password pitfalls that people fall into: password reuse, password sharing, poor password selection, and bad password storage practices.

What's surprising is it doesn't seem to matter whether the users of the passwords are technically savvy. The same mistakes occur among secretaries, network administrators, and even members of the security team.

The most common--and, typically, most damaging--issue is password reuse. Because of the sheer number of business-related and personal passwords that users are required to remember, users regularly use the same passwords on their personal email accounts as they use to log in to their computers at work. Sometimes users will create a small set that they use based on their general purpose, such as "March!82006" for all of their business accounts and "JustinBisCute!" for their personal accounts. The concern is that a compromise of one account puts all of the others at risk as well.

Read the rest of this article on Dark Reading.

When picking endpoint protection software, step one is to ask users what they think. Also in the new, all-digital Security Software: Listen Up! issue of InformationWeek: CIO Chad Fulgham gives us an exclusive look at the agency's new case management system, Sentinel; and a look at how LTE changes mobility. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
GR8Day
50%
50%
GR8Day,
User Rank: Apprentice
5/22/2012 | 4:46:18 PM
re: How To Hack The Password Problem
What makes a good password is having some to back it up like some form of 2FA (two-factor authentication) where you can telesign into your account. It's very important that the leading companies in their respective verticals are giving users the appropriate additional layer of authentication and security for access to accounts and transaction verification without unreasonable complexity.
Bprince
50%
50%
Bprince,
User Rank: Apprentice
4/27/2012 | 11:36:08 PM
re: How To Hack The Password Problem
I use unique passwords for all the important stuff (personal email accounts, Facebook, etc), but the downside is that recently when I changed them, I immediately forgot them (or misspelled the words I used) and was therefore locked out of two of my accounts for 24 hours. :)
Brian Prince, InformationWeek/Dark Reading Comment Moderator
Register for InformationWeek Newsletters
White Papers
Current Issue
InformationWeek Government, May 2014
NIST's cyber-security framework gives critical-infrastructure operators a new tool to assess readiness. But will operators put this voluntary framework to work?
Video
Slideshows
Twitter Feed
Audio Interviews
Archived Audio Interviews
GE is a leader in combining connected devices and advanced analytics in pursuit of practical goals like less downtime, lower operating costs, and higher throughput. At GIO Power & Water, CIO Jim Fowler is part of the team exploring how to apply these techniques to some of the world's essential infrastructure, from power plants to water treatment systems. Join us, and bring your questions, as we talk about what's ahead.