Weak passwords still subvert IT security
Despite years of warnings, analysts say enterprises continue to be plagued by 'the curse of the reusable password.'
Computerworld - A recent data breach that exposed the Social Security numbers of more than 280,000 people served as yet another reminder of the well-recognized, but often discounted, risks associated with using weak and default passwords.
In the breach of the Medicaid server at the Utah Department of Health late last month, the hackers -- believed to be from Eastern Europe -- exploited a configuration error at the authentication layer of the server hosting the compromised data, according to Utah IT officials.
Many security analysts see that formal explanation as a somewhat euphemistic admission that the breached server was using a default administrative password or an easily guessable one, thereby allowing the attackers to bypass the perimeter-, network- and application-level security controls built to protect the agency's systems.
While such mistakes are easy to avoid, they're surprisingly common despite years of warnings about the dangers of using passwords that hackers can easily guess.
For example, the U.S. Department of Energy said a security audit at the Bonneville Power Administration, an agency that provides some 30% of the wholesale power to utilities in the Pacific Northwest, identified 11 servers configured with easily guessable passwords.
Four of those servers allowed remote users to access and modify shared files. Another server, which hosted an administrator account, was protected only with a default password, according to the report released late last month.
Meanwhile, Gartner analysts believe that hackers exploited weak authentication mechanisms earlier this month in a breach at payment processing company Global Payments that exposed credit- and debit-card data of about 1.5 million people. And it's believed that compromised administrator accounts were the target of hackers who perpetrated attacks on the U.S. Chamber of Commerce and open-source WineHQ databases last year.
Moreover, Verizon's latest annual report on worldwide data breaches concluded that attacks exploiting weak passwords are still especially endemic in the retail and hospitality industries. The Verizon report said learning the passwords used to access such sites requires "little in-depth knowledge or creativity."
Gartner analyst John Pescatore said the Anonymous hacking collective takes advantage of the very human tendency to use the same password for multiple accounts.
"A lot of Anonymous' recent success has been in attacks where they have obtained users' passwords to external services and then found the same passwords in use at sensitive internal applications or in email systems," Pescatore said. That is "the curse of the reusable password," he added.
"The truth is, anyone trying to protect nontrivial assets should be using multifactor authentication and/or complementary controls to protect themselves," said Peter Lindstrom, an analyst with Spire Security. "The password has too many weaknesses, including the obvious human ones."
Most password schemes that aren't protected by another form of authentication or lockout controls are susceptible to brute-force attacks, in which automated tools are used to guess passwords, said Lindstrom.
"At this stage of the IT game," he added, "there is really no excuse for using default passwords."
John Ribeiro of the IDG News Service contributed to this story.
This version of this story was originally published in Computerworld's print edition. It was adapted from an article that appeared earlier on Computerworld.com.
Read more about Security in Computerworld's Security Topic Center.
- Radicati: Cloud Business Email - Market Quadrant 2013 Google was named the top cloud business email provider in a recent report by research firm Radicati. Out of 14 key players, Google...
- Tablets in the Enterprise: A Checklist for Successful Deployment How can you enterprise manage and secure tablets in order to protect corporate data while providing access to the information and applications employees...
- Enterprise Mobility: A Checklist for Secure Containerization The advantages and disadvantages of the multiple approaches to containerization. Learn More>>
- Enterprise File Sync & Share Checklist File sync and share has changed the way people work and collaborate in today's tech-savvy world. Gone are the email roadblocks, clunky FTP...
- Live Webcast LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- LIVE EVENT: 5/7, The End of Data Protection As We Know It. Introducing a Next Generation Data Protection Architecture. Traditional backup is going away, but where does this leave end-users?
- On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy... All Security White Papers | Webcasts