Users still make hacking easy with weak passwords

Analysis of 32 million breached passwords shows majority are still very simple to crack

1 2 Page 2
Page 2 of 2

Last November, for instance, the FBI's Internet Crime Complaint Center noted that cybercrooks had attempted to steal approximately $100 million from U.S. banks using stolen log-in credentials. On average, the FBI is seeing several new cases opened each week, the complaint center said. In most instances, the crooks used sophisticated keystroke-logging Trojan horse programs to steal log-in credentials from company employees authorized to initiate fund transfers on behalf of the business, the FBI noted.

Such attacks are highlighting the need for stronger access control and user authentication measures. For IT administrators, the main takeaway is the need to enforce a strong password policy over applications that they own, Shulman said. "If you let the user choose at their convenience, they will choose weak passwords," he said.

Companies should also consider implementing controls for slowing down brute-force attacks, in which attackers attempt to breaking into an account by trying to guess the password using an automated tool. Putting obstacles such as CAPTCHAs (Completely Automated Public Turing Test to Tell Computers and Humans Apart) in the way of a brute-force attacker is a good way to slow them down, the Imperva report noted.

Administrators also need to enforce a policy of periodic password changes and encourage users to create harder-to-crack passphrases instead of passwords, the report said.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan, send e-mail to or subscribe to Jaikumar's RSS feed .

Copyright © 2010 IDG Communications, Inc.

1 2 Page 2
Page 2 of 2
7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon