2013 has been a year of massive password database breaches, including LivingSocial, Evernote, Adobe and Cupid Media. Whilst this is concerning, especially for the services and users affected, what’s more worrying is the analysis of the database post breach and the effect it can have on other services.
After the Adobe breach, affecting upwards of 150 Million users, many IT security pros started to analyse the data set for interesting information. Not to dwell on the findings too much but it turns out humans are rather bad at:
- Creating good passwords, the most popular being 123456 in the case of Adobe’s huge database, and
- Using individual passwords for the myriad of internet services we all now use
Passwords have become the weakest link in security, exasperated by the house of cards effect caused by duplicate details used.
One major area of concern for many IT professionals trying to keep businesses safe, is the use of corporate email addresses used on third party systems. I, like many other users, use user@corporate email address to sign into many different systems.
If one of those services get hacked, my email address and password might be disclosed, which could be utilised for further attacks directed at the business that very kindly provide me with email. Being a good security type, I use different passwords for different services, but do all of your users?
So what can we do to address this issue? Let’s look at a few options. From the tactical perspective, there are well known steps IT security pros should be doing now.
- Force your users to create complex passwords that change frequently through your security policy or better yet use two factor authentication.
- Educate the users about this issue and suggest methods to keep them safe on the internet like using 1password to generate random passwords for each site they use.
- Discourage the use of user@corporate email addresses for third party systems. Users need to understand the impact that this could have on the overall security of your business
- Proactively research the breached databases for your @corporate domain. Services are starting to emerge to make this easier including http://haveibeenpwned.com/.
When it comes to fixing this issue more widely, vendors are starting to come together to address the fundamental flaw of passwords, removing the layer 8 reliance on creation and management.
FIDO (http://fidoalliance.org/), launched earlier this year, aim to bring internet services and vendors together to create a standardised approach and interoperability between each other for authentication. Key members of FIDO include Google, Paypal and more recently Microsoft from the service provider side, and a plethora of technology partners from the device side.
It’s an interesting alliance that could hopefully lead to simpler, stronger authentication for the betterment of us all.
Hey, What’s Your Password?
- Security and Throw Away Accounts
- Christopher Burgess on Senior Online Safety
- Adobe Breach Compromised 234,379 Military and Government Accounts
- Security is a Process, Not a Destination: Have You Given It Your All?
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
This publication is designed to assist executives by providing guidance for implementing broad baseline technical controls that are required to ensure a robust network security posture.
The author, a security and compliance architect, examined each of the Controls and has distilled key takeaways and areas of improvement. At the end of each section in the e-book, you’ll find a link to the fully annotated complete text of the Control.
Download your free copy of The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities today.
Also: Pre-register today for a complimentary hardcopy or e-copy of the forthcoming Definitive Guide™ to Attack Surface Analytics. You will also gain access to exclusive, unpublished content as it becomes available.
* Show how security activities are enabling the business
* Balance security risk with business needs
* Continuously improve your extended enterprise security posture
Title image courtesy of ShutterStock