Close
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Logo
Logo
  • Latest News
  • Artificial Intelligence
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Applications
    • Applications
    • Cybersecurity
    • IT Management
    • Networking

    Password Security Remains the Weakest Link Even After Big Data Breaches

    By
    Fahmida Y. Rashid
    -
    June 19, 2011
    Share
    Facebook
    Twitter
    Linkedin

      Despite repeated reminders to select strong passwords and not to reuse them across Websites and services, online users continue to be frighteningly lax in their password security, according to a recent analysis of leaked passwords.

      Security experts recommend taking a multilayered approach to security. Instead of relying on a single point of failure, organizations should be implementing several mechanisms to make it harder for cyber-attackers to steal sensitive, confidential data, Mike Yaffe, government security strategist at Core Security, told eWEEK.

      Considering how easy it has become to steal passwords, using phishing emails or by installing keyloggers on a target computer, relying solely on passwords to protect data is very risky, Yaffe said.

      Organizations are often leery of putting up any security measures that may affect the user experience and interrupt workflow because they are worried users will get annoyed and go elsewhere. But some tolerance for inconvenience is necessary, since it will result in a “significant boost” in security, Yaffe said. Many banks are rolling out additional protections such as image verification and hardware tokens, which may feel a little tedious, but Yaffe said he’s willing to put up with them because he would rather be overprotected than underprotected.

      Other protections include multiple security questions, forcing users to change passwords regularly, and checking to ensure the passwords aren’t dictionary words or being reused.

      Attackers should have to get past multiple gatekeepers before they even get to the database, Josh Shaul, CTO of Application Security, told eWEEK. Organizations should be combining all the security layers that will help trap attackers, or at least slow them down enough by raising enough flags for the IT department to notice something is wrong, according to Shaul.

      There’s no such thing as “security nirvana,” but organizations can try to foil attackers by making their environments harder to breach than the payoff may be worth, Yaffee said. Motivated attackers will always find a way, but there’s no need to make it easy.

      That applies equally to users. Angry users blame the vendor for not taking proper security measures after a data breach, but the fact remains that users must share the blame. While Gawker and Sony were both criticized for running obsolete software and not protecting password data stored in the database, a recent analysis of passwords stolen from those two companies reveals a significant degree of overlap.

      Software architect and security researcher Troy Hunt analyzed the torrent of files released by LulzSec shortly after the group hacked Sony Pictures and Sony BMG Music and the password lists that another hacker group, Gnosis, leaked in December after hacking Gawker’s commenting database. According to Hunt’s analysis, 88 people were in both data sets with the same email address, and 67 percent of them used the same password.

      Admittedly, 88 people is a very small number, considering there were 37,608 accounts in the Sony files and more than 188,000 accounts from Gawker. However, the two sites are pretty independent in terms of the kinds of users they attract, Hunt noted. For skeptics who may not consider this significant, Hunt identified “well over” 2,000 users who had accounts with both Sony Pictures and Sony BMG using the same email address. Hunt found 92 percent of the users had the same password across both accounts.

      Based on these findings, it’s reasonable to assume many of these user-name or email combinations with the password could turn out to be the “key” to access other Gmail, eBay and Facebook accounts. “There’s a statistically good chance that the majority of them will work with other Websites,” Hunt said.

      Attackers are already doing just that, testing leaked passwords against other Web services. LulzSec recently breached the Website of Infragard, a partnership between the FBI and private security firms, and obtained the email database. It turned out one of its members, Karim Hijazi, was using the same password for his personal Gmail and work email accounts. Hijazi also happened to be the CEO of white-hat hacking organization Unveillance. Password reuse also helped hacktivist collective Anonymous when it went after HBGary Federal in February.

      Security that depends on users having strong, unique passwords is not enough, not when modern-day malware can easily intercept that information. Security experts often say user authentication should be a combination of what the user knows, such as a password, and what the user has, such as a hardware token, that randomly generates a passcode every 30 seconds. Some major Websites, including Google and Facebook, have implemented two-factor authentication based on user phones to access their services.

      For Google’s Gmail, users who have opted into two-factor authentication enter their user name and password as usual, and then are directed to a “verification” page where they enter a six-digit code that is generated by an application on the smartphone or sent via Short Message Service.

      Some banks turn to the cloud to handle two-factor authentication, Ken Hunt, Vasco Data Security CEO, told eWEEK. Vasco customers issue hardware tokens, similar to the SecurID tokens from RSA Security, which randomly generate pass codes that users enter on online banking sites. The DIGIPASS cloud service authenticates users before allowing them to access applications, Hunt said.

      Ray Wizbowski, global director of marketing and communications in the security business unit at Gemalto, takes that a step further for cloud-based applications. Wizbowski suggests that authentication should be a combination of the physical device, something the user knows, and “something we are.” Identity-based information would provide a “stronger verification” that the user is really the one supposed to be accessing the cloud data, Wizbowski said.

      Fahmida Y. Rashid
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.
      Get the Free Newsletter!
      Subscribe to Daily Tech Insider for top news, trends & analysis
      This email address is invalid.

      MOST POPULAR ARTICLES

      Latest News

      Zeus Kerravala on Networking: Multicloud, 5G, and...

      James Maguire - December 16, 2022 0
      I spoke with Zeus Kerravala, industry analyst at ZK Research, about the rapid changes in enterprise networking, as tech advances and digital transformation prompt...
      Read more
      Applications

      Datadog President Amit Agarwal on Trends in...

      James Maguire - November 11, 2022 0
      I spoke with Amit Agarwal, President of Datadog, about infrastructure observability, from current trends to key challenges to the future of this rapidly growing...
      Read more
      Applications

      Kyndryl’s Nicolas Sekkaki on Handling AI and...

      James Maguire - November 9, 2022 0
      I spoke with Nicolas Sekkaki, Group Practice Leader for Applications, Data and AI at Kyndryl, about how companies can boost both their AI and...
      Read more
      Cloud

      IGEL CEO Jed Ayres on Edge and...

      James Maguire - June 14, 2022 0
      I spoke with Jed Ayres, CEO of IGEL, about the endpoint sector, and an open source OS for the cloud; we also spoke about...
      Read more
      IT Management

      Intuit’s Nhung Ho on AI for the...

      James Maguire - May 13, 2022 0
      I spoke with Nhung Ho, Vice President of AI at Intuit, about adoption of AI in the small and medium-sized business market, and how...
      Read more
      Logo

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2022 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×