Weak passwords still subvert IT security
Despite years of warnings, analysts say enterprises continue to be plagued by 'the curse of the reusable password.'
Computerworld - A recent data breach that exposed the Social Security numbers of more than 280,000 people served as yet another reminder of the well-recognized, but often discounted, risks associated with using weak and default passwords.
In the breach of the Medicaid server at the Utah Department of Health late last month, the hackers -- believed to be from Eastern Europe -- exploited a configuration error at the authentication layer of the server hosting the compromised data, according to Utah IT officials.
Many security analysts see that formal explanation as a somewhat euphemistic admission that the breached server was using a default administrative password or an easily guessable one, thereby allowing the attackers to bypass the perimeter-, network- and application-level security controls built to protect the agency's systems.
While such mistakes are easy to avoid, they're surprisingly common despite years of warnings about the dangers of using passwords that hackers can easily guess.
For example, the U.S. Department of Energy said a security audit at the Bonneville Power Administration, an agency that provides some 30% of the wholesale power to utilities in the Pacific Northwest, identified 11 servers configured with easily guessable passwords.
Four of those servers allowed remote users to access and modify shared files. Another server, which hosted an administrator account, was protected only with a default password, according to the report released late last month.
Meanwhile, Gartner analysts believe that hackers exploited weak authentication mechanisms earlier this month in a breach at payment processing company Global Payments that exposed credit- and debit-card data of about 1.5 million people. And it's believed that compromised administrator accounts were the target of hackers who perpetrated attacks on the U.S. Chamber of Commerce and open-source WineHQ databases last year.
Moreover, Verizon's latest annual report on worldwide data breaches concluded that attacks exploiting weak passwords are still especially endemic in the retail and hospitality industries. The Verizon report said learning the passwords used to access such sites requires "little in-depth knowledge or creativity."
Gartner analyst John Pescatore said the Anonymous hacking collective takes advantage of the very human tendency to use the same password for multiple accounts.
"A lot of Anonymous' recent success has been in attacks where they have obtained users' passwords to external services and then found the same passwords in use at sensitive internal applications or in email systems," Pescatore said. That is "the curse of the reusable password," he added.
"The truth is, anyone trying to protect nontrivial assets should be using multifactor authentication and/or complementary controls to protect themselves," said Peter Lindstrom, an analyst with Spire Security. "The password has too many weaknesses, including the obvious human ones."
Most password schemes that aren't protected by another form of authentication or lockout controls are susceptible to brute-force attacks, in which automated tools are used to guess passwords, said Lindstrom.
"At this stage of the IT game," he added, "there is really no excuse for using default passwords."
John Ribeiro of the IDG News Service contributed to this story.
This version of this story was originally published in Computerworld's print edition. It was adapted from an article that appeared earlier on Computerworld.com.
Read more about Security in Computerworld's Security Topic Center.
- Troubleshooting Common Issues in VoIP Learn more about Voice over Internet Protocol (VoIP), including common VoIP metrics used, best practices in VoIP management and tips and tricks for...
- 2013 Network Management Software (NMS) Buyers Guide This white paper contains an independent comparison study of six different network management solutions and provides guidance on how you can choose the...
- Rightsizing Your Network Performance Management Solution: 4 Case Studies This white paper discusses challenges encountered as organizations search for the most cost-effective network performance management solution.
- Global Growing Pains: Tapping into B2B Integration Services to Overcome Global Expansion Challenges A recent survey by IDG Research explored both the challenges and pain points companies face when growing globally, as well as the capabilities...
- E-Signature RFP Checklist Webcast If your organization is looking to adopt e-signatures, you may be overwhelmed by the number of providers that offer seemingly similar solutions. How...
- Cloud and Collaboration: Driving Your Business Value Mission Critical Cloud from Peer 1 Hosting is enterprise-grade. All Security White Papers | Webcasts
Our new bimonthly Internet of Things newsletter helps you keep pace with the rapidly evolving technologies, trends and developments related to the IoT. Subscribe now and stay up to date!