This interesting article (from a Sophos study) noted that, regarding Internet website passwords:
Almost half [of survey respondents] admitted to using a few different passwords, and 33 percent fessed up to using the same password all the time.
Only 19% claimed to use a different password for each website. My guess is that a more widespread or scientifically conducted study would actually show a higher percentage of users in the same-password-for-all-sites category.
I am not surprised. Just like everyone else, I am tired of trying to come up with new, strong passwords and then remember them. This is especially tricky given the large numbers of sites that we typically register for but rarely visit.
There is, of course, some risk here for the web users and the website owners. But there is an even deeper risk here for corporate security. I suspect that many folks are equally lazy with their corporate network and application passwords. Am I making too big a leap here? I don't think so.
When I first started getting into security and reading up on how hackers and crackers break into systems and networks, I expected to see all kinds of really clever exploits. And, to be sure, there are some very clever exploits out there. But I was struck by how the simplest, most common, and often most effective methods of security breaches are password hacks. Brute force and/or dictionary based attacks on weak passwords still manage to get the job done.
So what do security architects and officers have to do to address this age old issue? It should be no surprise that good policies are a great place to start. But making password complexity rules too hard or setting very short expiration periods can be counter-productive (witness the user with passwords on sticky notes all over his monitor).
Smart cards and similar devices are a good step. Education and training must be a part of the process as well. As a netForensics employee, I'd also be remiss if I didn't point out the importance of monitoring and correlating your security events for signs of exploitation on accounts with weak passwords.
None of this is new or shocking, but it is still relevant and important.
Leave a comment