Passwords are never enough!
It’s all in the news again. A couple of weeks ago, Adobe – first, illegal access to source code, then 2.9 million account details lost, quickly increasing to 38 million user accounts compromised and the latest number is 150 million, but this supposedly includes expired accounts.
Now last week Cupid, an online dating service, (doesn’t anyone go out anymore to meet their true love?), announced 42 million accounts lost with passwords in plain text.
Cupid — 42 million passwords stolen
Other than having your online dating persona hijacked by a socially insecure teenager in a plastic mask, the problem is that many people re-use passwords in work and on personal web sites so even the expired accounts can provide useful information to cyber criminals! Even scarier is the possibility that your network system administrator does not have much of an imagination and reuses their personal passwords on your network. Just like what happened at MongoDB (TOTW passim).
Stealing accounts is not the only way someone’s account can be compromised since, unbelievably, most people use weak passwords. Some of the information gathered from the data that was stolen from Adobe is that the most common passwords were ‘123456’ and ‘password’. Weak passwords are one of the most common methods for turning a successful network compromise, possibly via an Advanced Persistent Threat (APT) into profitable or destructive cyber-crime..
ITC recommend the following best practices for organisations taking password control seriously in order to manage risk:
- Educate your users about strong passwords using a number of techniques such as pass phrases, for instance: MyAnn1v3rsary1s1Apr1lD0n’tF0rg3t instead of 1Arp1l, with the added benefit that you might remember your anniversary!
- Users should have different pass phrases for each account or at least for each type of account. Do not use the same password you bank with on Facebook.
- Store your pass phrases in a Password vault, people should have their own password vault, they run on smart phones these days and companies should implement an enterprise password vault. System Administration privileged accounts should have passwords that their sys admin staff can’t remember without looking them up. The passwords should be a minimum of 15 characters long. The mighty Bruce Schneier, BT ubersecurity hyperbeing has been heard to say that if you’re not using a password vault your passwords aren’t effective or safe.
- Two factor authentication (we recommend SafeNet) along with a strong pass phrase will increase security and provide protection when passwords are stolen. The old rule; something you have and something you know.
ITC Secure Networking can help with our NetSure360⁰ Managed Security Services. We have;
- Over 15 years’ experience delivering managed network and security solutions
- Integrated best of breed technology solutions including two factor authentication, password vaults and much other goodness
- Certified, knowledgeable and experienced security staff
Contact ITC at [email protected] to discuss how we provide this solution in our NetSure360⁰ Security, Performance and Network Management platform.