Friday, March 9, 2012

How Secure is Your password, Password1, Password01?

The Trustwave security consulting firm just released a report summarizing the results of 2 million network vulnerability scans and 300 security breach investigations.  It turns out that most hacking incidents occur because of weak passwords, not sophisticated hacker tools. In their research they found that 5% of passwords contain some variation of the word "password."

This report illustrates a basic problem with username/password based security- its vulnerability to the limitations of the end user.  Most users choose passwords that are too weak and easily guessable.  To combat this, user management tools usually require users to include in their password at least one capital letter and a mix of letters and numbers.  Naturally, users create words they can remember like Password1.  Hackers are able to run brute force hacking attacks by running a program that attempts logins with variations of words from a dictionary (called a dictionary attack).  The tool will try password, Password, Password1, Password2, etc...  With the massive amount of processing power in most PCs these days, hackers can run millions of password guessing permutations in minutes.  The more-secure alternative is to use a system-generated strong password that is less vulnerable to a dictionary attack, but these are often complex and hard to remember, prompting users to write them down and store them where they can be stolen.

The digital universe is rapidly getting to the point where relying solely on username/password security is inadequate.  Either new technology methods will have to be developed or systems and providers will have to embrace multi-factor authentication (MFA).  MFA users must validate themselves with more than one authentication method.  These modes are defined as something you know (password), something you have (digital access card/token), or something you are (finger/handprint, retina scan).  While it is hard to imagine widespread adoption of MFA, it is also shocking to imagine that more places haven't required these security enhancements, given the weaknesses of user-generated passwords.  This article should be a call to action- let's see who responds to it.

Read the article.

No comments:

Post a Comment