Weak passwords still subvert IT security

Computerworld - A recent data breach that exposed the Social Security numbers of more than 280,000 people served as yet another reminder of the well-recognized, but often discounted, risks associated with using weak and default passwords.

In the breach of the Medicaid server at the Utah Department of Health late last month, the hackers -- believed to be from Eastern Europe -- exploited a configuration error at the authentication layer of the server hosting the compromised data, according to Utah IT officials.

Many security analysts see that formal explanation as a somewhat euphemistic admission that the breached server was using a default administrative password or an easily guessable one, thereby allowing the attackers to bypass the perimeter-, network- and application-level security controls built to protect the agency's systems.

While such mistakes are easy to avoid, they're surprisingly common despite years of warnings about the dangers of using passwords that hackers can easily guess.

For example, the U.S. Department of Energy said a security audit at the Bonneville Power Administration, an agency that provides some 30% of the wholesale power to utilities in the Pacific Northwest, identified 11 servers configured with easily guessable passwords.

Four of those servers allowed remote users to access and modify shared files. Another server, which hosted an administrator account, was protected only with a default password, according to the report released late last month.

Meanwhile, Gartner analysts believe that hackers exploited weak authentication mechanisms earlier this month in a breach at payment processing company Global Payments that exposed credit- and debit-card data of about 1.5 million people. And it's believed that compromised administrator accounts were the target of hackers who perpetrated attacks on the U.S. Chamber of Commerce and open-source WineHQ databases last year.

Moreover, Verizon's latest annual report on worldwide data breaches concluded that attacks exploiting weak passwords are still especially endemic in the retail and hospitality industries. The Verizon report said learning the passwords used to access such sites requires "little in-depth knowledge or creativity."

Gartner analyst John Pescatore said the Anonymous hacking collective takes advantage of the very human tendency to use the same password for multiple accounts.

"A lot of Anonymous' recent success has been in attacks where they have obtained users' passwords to external services and then found the same passwords in use at sensitive internal applications or in email systems," Pescatore said. That is "the curse of the reusable password," he added.

"The truth is, anyone trying to protect nontrivial assets should be using multifactor authentication and/or complementary controls to protect themselves," said Peter Lindstrom, an analyst with Spire Security. "The password has too many weaknesses, including the obvious human ones."

Most password schemes that aren't protected by another form of authentication or lockout controls are susceptible to brute-force attacks, in which automated tools are used to guess passwords, said Lindstrom.

"At this stage of the IT game," he added, "there is really no excuse for using default passwords."

John Ribeiro of the IDG News Service contributed to this story.

This version of this story was originally published in Computerworld's print edition. It was adapted from an article that appeared earlier on Computerworld.com.

Read more about Security in Computerworld's Security Topic Center.