Why we need a reality check on passwords

Richard Cassidy, Technical Directory EMEA at Alert Logic

Given all the recent and historical news on data breaches of personal e-mail accounts, social media accounts and even phone account passwords, it is every wonder therefore that we are still using password combinations that are incredibly easy to guess.

Typically most users will maintain a single password for almost all sites they access. Passwords such as these are dangerous because they are the first attempted combinations in the arsenal of attackers brute-force access tools.

The challenge is that cyber criminals are well aware that many of their targets still fail to employ a strong password policy and as such will “pre-load” their dictionary attacks for brute-force access with the combinations listed; which in turn means almost instant access to a substantial number of users personal data. If an attacker can compromise even a single password from a user, it can mean “carte-blanche” for access to other sites and systems thereafter.

It’s clear that the strongest security controls rely on good password strength and regular changes; which if followed well, can often be the Achilles heel in attackers continued access to systems.

The reality we face in today’s threat minefield is that human error is the highest contributing factor as to why threats both exist and attackers succeed in exploiting their targets. Bad actors (hackers) are well aware that we are only as strong as our weakest link; this is why they have increasingly turned their focus to the tried and tested method of social engineering, including brute force attacks against systems and servers protected by weak passwords (or in far too many cases default ones defined in user manuals).

Unless you are in a position whereby you can store all your personal data offline of internet/cloud based services (which these days is practically impossible, given information held about individuals for banking, government and e-communication purposes), then your approach to better security should start by better education on what you can do to limit your exposure to threats or data-breaches and working to ensure that your most sensitive data is stored offline and not available on public hosted/cloud networks.

Unfortunately however, even with complex passwords we are almost fighting a loosing battle; this is because cyber criminals can access botnet ecosystems to crack encrypted files or password protected data (through hashes of the password, or direct brute force attack) or make use of underground “cracking rigs” that use GPU’s Processors in rigs that can quite literally attempt billions of combinations per second. This means your average 8 character password (mandated by many online systems today) can be cracked in days.

A great deal of research has gone into the minimum password length recommended; all users should be choosing passwords of at least 12 characters (alphanumeric with special characters) that are completely random and that would challenge even the most sophisticated decryption rigs for service out there on the cyber criminal underground.

Regardless of the level of technology implemented to protect networks, systems and applications, if users share information they shouldn’t (passwords, account details, corporate data or personal identifiable information) or click on links that re-direct them to malicious malware then it makes things a great deal more difficult (albeit not impossible) to adequately protect ourselves in this insatiably online world.

Keeping local security applications up-to-date and implementing programs that can inspect the links embedded in e-mails or social media messages for known malicious sources in a good step in assisting us with identification of potential harmful communications; however the “keep it simple” methodology in all online security endeavours will always provide a high level of personal protection against the latest scams.

Overall there are two approaches to protecting your data; first is access to data stores (e-mail, social media, online file sharing) with a minimum of 12 character passwords and second, encrypted key data files with strong cipher algorithms. In the end, you want to make the cost of accessing that data far outweigh the value of it, or at least provide a level of assurance that by the time it could be theoretically accessed, it is no longer useful to the source that exfiltrated it. However even if you fail to do any of this, don’t make cyber criminals job any easier by choosing easy password phrases.