All the latest UK technology news, reviews and analysis
|
|
|
21 Jan 2010
A recent data breach study has turned up damning evidence on the lack of security awareness with user-selected passwords.
Research firm Imperva conducted the Consumer Password Worst Practices study (PDF) following a major data breach at social networking site RockYou which made more than 32 million user passwords public.
An analysis of the leaked data showed that users are still selecting passwords that are easily guessed.
The study found that roughly a fifth of users had selected passwords that were among the 50,000 most common on the web. Among these were basic numerical sequences.
Nearly 300,000 of the compromised accounts used '123456' as a password, while an additional 79,078 selected '12345' and 76,790 users used '123456789'. Other commonly used passwords were 'password', 'iloveyou' and 'princess'.
By selecting such widely used passwords, users are leaving their accounts easily accessible to data harvesting, said Imperva. The report suggested that by using an automated 'brute force' tool based on the 50,000 common passwords list, an attacker could have harvested more than 1,000 account credentials in under 17 minutes.
"This means that the users, if allowed to, will choose very weak passwords even for sites that hold their most private data," said Imperva.
"Worse, as hackers continue to rapidly adopt smarter brute force password cracking software, consumers and companies will be at greater risk."
The report was quickly picked up by authentication vendors such as VeriSign to show the need for additional account protection such as randomly generated codes.
"The shortcomings of weak passwords and the need for stronger authentication solutions are becoming more and more evident," a company spokesperson told V3.co.uk.
"One-time passwords via two-factor authentication provide a critical layer of security to counter such threats."
Others in the security community suggested stepping up the enforcement of best practices. Gartner vice president and research fellow John Pescatore suggested in a blog post that administrators should prod users to strengthen their login details.
"The passwords users create are the equivalent of them choosing front door locks that open with skeleton keys," wrote Pescatore.
"We will be stuck with passwords for a long time and, since users will complain no matter what we do to enforce password discipline, this little exercise points out that we should focus on annoying users by requiring strong passwords versus frequently changed passwords."
Latest stories from Security
Related articles
Related jobs
Poll
Are you confident that the UK's IT infrastructure is secure from attack in the wake of the Flame malware revelations?
Orange and Intel talk us through the ins and outs of their San Diego smartphone
Connect with V3.co.uk
The wrong printers, for the wrong tasks on the wrong contracts
Who leads the BI pack and who should we be watching out for?
Our highly successful client urgently requires Senior...
Our highly successful client urgently requires Senior...
Our highly successful client urgently requires Senior...
Our client, a highly successful and currently market...
Keep up to date with the latest products, services and technologies from the world's leading IT companies. IThound.com brings you over 2,000 white papers, case studies and analyst reports.
Do you agree?
Best practice to avoid weak passwords
This rockyou.com breach and the subsequent analysis of the leaked login data underlines the importance of differentiating the passwords you use between web sites, applications and devices. It also underlines the necessity to use passwords that are not obvious or simplistic, or follow obvious keyboard patterns. Using the same, easy username and password across everything is far from being a sensible practice, but we understand why people do it when faced with remembering and using a multitude of different usernames and passwords on a daily basis. Yet taking such a serious risk with IT security is not necessary. Technology is readily available, including Courion?s PasswordCourier, to automate and manage password creation, password changing and password reminders, so that legitimate individuals who forget a challenging password for a particular web site can get a reminder or new credentials without creating more work for the IT department. These automated solutions also help enforce best practice in creating and using strong passwords. As a bare minimum, individuals should follow these three steps, at work as well as at home, to ensure access remains secure and data remains safe: ? Set sensible passwords that pose a challenge ? Use different passwords for different sites and services ? Regularly change your passwords By following these steps, you can not only improve your personal and company data security by making it harder for opportunistic individuals to access your accounts, but also ensure that your exposure to the knock-on effects of a data breach is minimised.
Posted by: Stuart Hodkinson, UK general manager, Courion 25 Jan 2010