ElcomSoft has conducted a survey on its customers, and discovered a major security hole in the choice of passwords among respondents.
According to the survey, as many as 77% of respondents use or have used the same passwords for different applications, documents and websites. This fact per se does not help an outside attacker to quickly unlock a single document protected with a strong password and an adequate encryption algorithm. However, if one gets access to the entire hard drive, extracting passwords protecting certain types of information (e.g. email accounts, Web forms, instant messenger accounts and so on) is near instant.
By using passwords extracted from the weaker link, it becomes possible to unlock other types of information protected with much stronger encryption algorithms if the same or similar passwords are used.
While using the same password on multiple types of information is usually against corporate security policies, other researches suggest that such users can avoid automatic enforcement of a security policy by adding numbers or suffixes to such passwords. Password recovery tools with advanced dictionary attacks allowing permutations of dictionary words can easily handle the slight differences in password prefixes and suffixes.
“People tend to re-use passwords among different accounts, and to protect different types of information”, says ElcomSoft CEO Vladimir Katalov. “We just haven’t realized how large the extent of the issue is.” Sharing passwords among different accounts and types of information gives those equipped with appropriate password recovery tools a good chance to gain access to everything protected with said password in almost no time.
The “Password Usage Behavior” survey was conducted online from June 3, 2009 through September 1, 2009. ElcomSoft has invited its clients – CIOs, IT administrators, security experts from governmental and military sectors as well as ordinary users – from around the globe. The results of this survey are based on responses from more than 1000 security and IT professionals from more than 70 countries. Thirty-nine percent of respondents were from Europe, followed by North America (36%), Asia (12%), the Middle East (6%), Australia (4%), South America and Africa (3%).
According to the poll findings, 50 percent of respondents use more than 10 different passwords. While 29 percent have from 4 to 10 passwords, 11 percent claimed to use only from 1 to 3 passwords to get access to websites and applications. This news is disturbing as 3 passwords used everywhere cannot guarantee proper security, especially when these passwords are used to access both personal and work accounts. 77% of respondents use or have used the same passwords for different applications, documents and websites.