Social networks, email, online shopping, cloud storage, both in the corporate and private world, there are many services used daily that request logins and passwords for access, and in most cases, users opt for the convenience of using the same data. Data breaches are often the result of a poor password policy. Therefore, it's important to create a solid password policy for your organization.
In recent years, we have seen many cases of cyberattacks on big companies like LinkedIn, Last.fm, Ashley Madison, Sony and (recently) Dropbox, in order to get valuable user data and passwords. These data leaks and security breaches are increasingly common, businesses and users should be aware of the risks they are taking, especially the bad habit of using corporate email on public websites and the same passwords for different registrations. With a public data leak, someone may have access to confidential company data.
The logic is simple; hackers know about the bad habit of sharing passwords and email addresses and may attempt to gain access to company systems or other user services testing emails and passwords leaked by a public site.
A recent study by Ponemon Institute (https://www.ponemon.org/) with about 3000 employees working in organizations in the United States and Europe, reveals that employee behavior is the biggest factor for exposing information in companies. Only 39% of surveyed employees said they take all the necessary steps to protect corporate information.
Most of the time, people downplay the consequences of what could happen or have no idea of the value of the data they hold. As incredible as it may seem, sequential passwords like "123456" are always among the most used, reinforcing the idea that people don't care about security. Consider the following: the value of the safe is directly proportional to what's kept inside it. Therefore, it is common to use secure or complex passwords in places that we consider storing something valuable, such as banks. The biggest problem may be the fact that people are not aware of the value (monetary or sentimental) that their information has, until it is lost.
What is a good password policy?
Passwords are still composed of elements that the user can remember. Using one for each location is very difficult to memorize thus, unfortunately, some situations condone the use of public information. For example, when someone asks you a 4-digit password, the first thing that comes to mind is the end of a phone number, the numerical sequence of a license plate or a date (day/month or year).
A password is as safe or strong as the time it takes to "find it". The first step of a hacker is to attempt sequences of numbers or letters that are related with the person's life, such as significant dates (for the person or close ones), known names, places, football teams, etc. Thus, the "attacker" begins studying the "attacked", creating a list of words and numbers, which is called dictionary attack. If it doesn't work, then the brute force attack starts, where all combinations of letters and numbers are systematically attempted (e.g. aaa, aab, aac, aad...).
To get an idea of the complexity of this process, using the 26 letters of the alphabet and counting only lowercase letters, we would have two hundred and eight billion (208,827,064,576) combinations for a password with eight characters (268). If we could test one password per second, it would take 2,416,979 days to test all passwords, approximately 6,621 continuous years.
On the other hand, computers can test thousands or millions of passwords per second. Within companies, probably systems are configured to block a user after three or five attempts using the wrong password, to avoid dictionary attacks or brute force attacks. However, when there is a leak of a database, attackers can test as many passwords as they wish, as attackers control their own environment and are not subject to the restrictions of a corporate environment (offline attack).
- So, be sure to follow some valuable tips:
- Never use passwords that contain sequences;
- Use upper and lower case letters;
- Don't write them down, memorize them;
- Add special characters;
- Don't use the same password for different services.
Although security is related to the quality of the password used, data encryption can be a great way to help CSOs (Chief Security Officer) keep data safe. If the problem is memorizing passwords, speak to experts to find out the ideal tools to centralize administration, these solutions store passwords using databases with advanced encryption and a master password that will provide access to all.
As there are no laws related to the responsibility of leaked passwords, we rarely know what was leaked, then the entrepreneur is still not really aware of this problem. What is missing is a preventative and effective culture regarding the behavior for use and access to information, as technologies to combat information leaks and threats are sophisticated and meet the main protection demands.
Fernando Amatte is as Cyber security Specialist at CIPHER