The latest review of security issues and trends is out, and we're sorry to say, folks: The rampant use of weak passwords still presents a serious security problem to end users and companies alike.The recently-published Trustwave 2012 Global Security Report details the current threats to user data and identifies the vulnerabilities that persist within organizations. The statistics were generated from their investigation of about 300 breaches across 18 countries. They also analyzed the usage and weakness trends of more than 2 million real-world passwords used within corporate information systems. The verdict? After an initial foothold in a system (via malware and other threat vectors), 80% of security incidents were due to the use of weak administrative passwords.
Yes, that's correct: 80 percent. From weak passwords.
"The use of weak and/or default credentials continues to be one of the primary weaknesses exploited by attackers for internal propagation," the report comments. "This is true for both large and small organizations, and largely due to poor administration."
They found that writing down passwords is still prevalent in the workplace, particularly in organizations that implement complexity requirements, password expiration cycles, and password histories to prevent recycling of old passwords. While these policies are often implemented to improve password management, the reality is that increasing password complexity directly corresponds with a decrease in memorability, hence the insecure practice of writing down passwords. The report found that in 15% of the security tests performed, written passwords were found on or around user work stations.
What's even more astonishing is that rather than find a tool that can help with the password problem, users are getting creative in overriding the policies meant to enforce the use of strong passwords. They exploit loopholes such as:
- Setting usernames as the password when complexity requirements aren't forced
- Adding simple variations to fit complexity requirements, such as capitalizing a letter and adding an exclamation point to the end
- Using dictionary words or applying simple modifications
In another alarming example, the report highlights Active Directory's policy of password complexity, which states that a password is required to have a minimum of eight characters and three of the five character types (Lower Case, Upper Case, Numbers, Special, Unicode). Guess what meets those requirements? "Password1", "Password2", and "Password3", the first being the most widely used across the pool of two million passwords studied in the report.
The top 10 passwords identified by the study were:
- Password1
- welcome
- password
- Welcome1
- welcome1
- Password2
- 123456
- Password01
- Password3
- P@ssw0rd
Other keywords included:
In some ways, we're impressed by the creative effort people put into avoiding strong passwords while still operating within the "complexity requirements" imposed on them.
However, moving forward into 2012 and beyond, it's clear there are steps both end users and businesses should be taking to change their password habits, prioritizing:
- Education of employees on basic security practices
- Tracking of company data and pinning it to an individual every time
- Standardizing implementation across all platforms and devices
- The implementation of a password management tool that makes it easy to maintain high security standards.
Best,
The LastPass Team
No comments:
Post a Comment