Darren Siegel is a cyber security expert at Specops Software. He works as a lead IT engineer, helping organizations solve complex challenges within IT security. In this interview with Help Net Security he discusses the challenges related to password security.
Every year, attackers get access to billions of passwords. What are the main reasons that these leaks keep happening?
There is clearly no shortage of ways for a bad actor to access privileged data on computer systems. We see systems compromised by anything from default/easily guessed administrative passwords to sophisticated social engineering attacks to known but unpatched vulnerabilities like the one that led to Fortinet SSL VPN credentials being leaked late last year. Zero-day exploits like Log4J are also bound to happen from time to time, leaving even the most tightly guarded environments potentially exposed to attackers.
Despite available solutions, leaks show that organizations still haven’t solved the problems of weak passwords and password reuse. Why?
The biggest barrier to stronger passwords is end user behavior and expectations. Users want passwords that are quick to type and easy to remember, and this naturally leads them to choose passwords that are also quite easy to guess.
The same can be said for password reuse – it is far easier for an end user to remember one good password than to keep track of multiple different passwords for different accounts. Organizations need to leverage tools that make it easier for end users to choose good, memorable passwords.
What advice would you give to a CISO searching for a way to strengthen security and prevent a password breach?
CISOs have a uniquely challenging role – just one bad password or one unpatched system can lead to their organization appearing in the news. And unfortunately, we cannot rely on human behavior from end users or even IT administrators alone to keep systems in check.
My advice would be to implement solutions that will enforce and audit good password practices so you can know with confidence that there are no password-related vulnerabilities on your network.
Specops Software has effective password security solutions. Can you highlight some of the most interesting features?
I would highlight Specops Password Policy with Breached Password Protection. This solution enables IT admins to enforce the use of good password practices by preventing users from setting passwords that contain common words, words common to their unique organization, and over 2 billion passwords that have appeared in public data breaches.
We can also regularly check users’ current passwords against those breach password lists to ensure we continue to protect against the next data breach, whenever that inevitably happens. Arguably the best part about this solution is the ease-of-use for end users, making adoption into the program seamless—after all how good is a software if you can’t get people to use it?