Thursday, May 10, 2012

Passwords Still the Weak Link in the Chain

Networks are only secure as their weakest part, and time and time again, the weakest part of any network system is the user. Weak passwords are by far the easiest aspect of network security to hack, and despite repeated calls by security experts for people to tighten up their password habits, password vulnerability is as bad as it has ever been.

Gaining access to people’s passwords can be extremely simple, primarily because people just don’t listen to advice. Because so many people use weak or recycled passwords, a hacker only needs to determine one person’s login to gain access to an entire network and the great bounty of data therein. Virtually every high profile hack is down to a single user having a weak password; from online retailer Zappo, who earlier this year had the personal details of 24 million users stolen, to global intelligence firm Stratfor that really should have known better, but recently lost 860,000 user names and email addresses to hackers.

Password security can be extremely difficult for a big network to manage, primarily because it requires policing everybody with access, from the website designers and administrators, to the marketers who are in charge of PPC management and Adsense campaigns, and it only takes one person not to take security seriously for the whole network to become vulnerable.

Seven deadly password sins

People are creatures of habit and nearly a fifth of people still commit one of the seven most common sins for generating passwords:
They use the name of their partner, child or pet, perhaps followed by a digit to adhere to the alpha/numerical construction (usually a 1 or 0). These days with everybody having their life laid bare on social networking sites, it doesn’t take long to learn the name of a family pet, child or spouse.
The same is true of people’s date of birth, either the user or their partner/child/pet.
People often use the last four digits of their social security or employee roll number. These details are perhaps more difficult to get hold of, but not impossible.
Amazingly 123, 1234 or abcd1234 are still common password combinations used by people.
Likewise, “password” or “pa55word” (to get that alpha/numerical combination) is another commonly used combination.
Again, Facebook grants easy access to a user’s favorite sports team, which is another common password sin.
Then there are the generic one-word passwords of “god” “love” “money” “access” etc, which are all common strings.

Repetition

Even if somebody follows the protocol for creating a strong password and uses upper and lower case, number and letters, and keeps the string as random as possible, there is a chance that after going through all that effort, they are probably going to use this same password for a whole host of other web activities. While gaining access to a work VPN or bank account is going to take a lot of effort, some sites, such as forums or online retailers, won’t have such strict security. If a hacker gains access to these websites and figures out a user has quite a strong password, then chances are they are using the same string to gain access to their work network, bank or other secure site.

Hear no evil

Despite the repeated high profile attacks, the loss of millions of people’s personal data each year, and the persistent mantra of the importance of strong passwords from network bosses, people just aren’t listening. It isn’t even as if the internet is a new thing. People have been relying on usernames and passwords for decades, but it seems they just won’t listen. There are probably a couple of reasons for this, and they both boil down to human nature.

Firstly, people think it will never happen to them. Hacking is like being mugged, both in the material loss that can result and in the fact that people think it only happens to others. It isn’t until somebody actually gets hacked that they start to take passwords seriously, but of course, by then it is too late. Secondly, people are inherently lazy. Generating new passwords all the time and having to remember them is not fun, and most people have better things to do, which is why so many choose weak and easy to remember passwords or recycle older ones.

Until people start realizing the importance of good password protocol, high profile hacks will continue unabated. Perhaps there will come a time when virtually everybody has suffered some form of hacking attack at least once, by which time, password security may at last become as important a security concept to people as protecting their wallet or locking their front doors at night. Until then, weak passwords are by far the easiest way in to a network for any hacker.

The Hacka Man