05.5.2016

insecure passwords

People use “bad” passwords — no, these passwords aren’t swear words — for two reasons: They’re easy to come up with and easy to remember. Bad, or weak, passwords are passwords hackers find hilariously simple to crack. Examples of laughingstock passwords are:

  • 123456
  • Password
  • Letmein — seriously?
  • Qwerty — or mnbvcx
  • Your initials followed by your age
  • Telephone numbers
  • Pet or kid names
  • Repeating dictionary words, like appleapple or dogdog
  • Passwords that have remained the same since 1998. We not only use bad passwords like we don’t have a care in the world, but we also have a ghastly habit of never, ever changing them.

For professional password hackers, cracking bad passwords is similar to a savvy auto thief stealing a car using a shaved key and an opening device. Since they’ve already got the tools and know-how, the deed takes little skill and no time at all. Even if your password contains an uppercase letter, a number, a hieroglyphic, a smiley face and an equation needed to operate the Hadron Collider, some evil genius hacker will figure out what is and gain access to your bank account, PayPal account or business account.

Offline Password Cracking

Offline password crackers break into large computer systems and eavesdrop on encrypted exchanges sent over the Internet and/or steal encrypted password files. This gives them free rein to decrypt as many passwords as they wish with nothing to stop them. Offline password cracking techniques allow hackers to execute millions of guesses in seconds. Cracking one, short, weak password about five or six characters long will take an evil genius hacker less than 10 to 15 seconds. And then it’s on to the next one — and the next one…

Keyloggers May Be Lurking in Your Company Computers

Another way passwords are hacked is with keylogger software. Keyloggers record keystrokes made by whoever is using the keyboard. Keystroke activity is then placed and saved in an encrypted log file to be viewed by hackers using a log viewer. Keylogging programs can be installed manually in unattended computers or remotely by more sophisticated hackers. Although keyloggers are helpful for tracking unauthorized computer use or maintaining backups of typed data, they are also one of a hacker’s favorite tools, if the hacker can manage to get it installed on a targeted computer. Keyloggers are especially destructive to business integrity since they log all websites visited, periodically take webcam images and record audio with a built-in microphone.

Don’t Ride This Trojan Horse

The ancient Greeks may have won a war with their Trojan horse, but computer Trojan horses won’t win you any wars. Instead, Trojan malware is typically disguised as recognized software used by hackers to get into your system. Once activated by user actions, Trojan horses and the cybercriminals riding them take over infected computers, steal passwords and easily access all kinds of sensitive information. In addition, hackers opening the backdoor to your computers with Trojan malware can delete, block, copy and modify data, severely disrupting computer network performance.

What’s a High-Security Alternative to Passwords?

According to the Verizon 2014 Data Breach Investigations Report, “the use of stolen and/or misused credentials (user name/passwords) continues to be the number one way hackers gain access to information. Two out of three breaches exploit weak or stolen passwords, making a case for strong two-factor authentication”

One of the biggest password security breaches in recent years lacerated Wall Street banking giant JP Morgan Chase when an employee’s password and username were hacked and used to infiltrate over 75 million JP Morgan account holders and seven million businesses. More specifically, cybercriminals exploited this employee’s ability to access a web-development server by cracking their password/username combination.

Other companies affected by password-sniffing hackers taking advantage of weak passwords and Swiss-cheese-like security systems include:

  • Yahoo: In 2014, 80 million Yahoo email customers suffered compromised passwords via a third-party application.
  • LastPass: An online business that allows users to store all their passwords online so they can get to them with one master password, LastPass felt the sting of busy-bee hackers when cyber evil geniuses stole encoded versions of customer passwords in 2015. Consequently, hackers gained access to email addresses and even password reminders.
  • Target 110 million customers found their personal data breached by a 2014 email phishing scheme allowing hackers to access the department store’s corporate network via a subcontractor’s cracked password and other authentication details.

Cramp the Style of Evil Geniuses — Secure Your Business With Single-Sign On and Multi-Factor Authentication

An authentication process called SSO, or single-sign on, lets you access several different applications using one login credential. Many enterprises implement SSO to facilitate clients accessing multiple resources linked to a local area network (LAN). SSO not only reduces phishing risks and password compromise, but it also:

  • Provides a secure means of access
  • Improves productivity by eliminating help desk requests and credential re-authentication
  • For healthcare facilities, SSO enhances compliance via centralized databases
  • Streamlines desktop workflow and remote/local application
  • Significantly decreases the number of passwords clients must remember to help reduce instances of password recovery assistance
  • Improves the ability of administrators to manage user configurations affecting all connected systems
  • Supports timely and effective disabling of computer/network accounts linked to terminated users

Multi-Factor Authentication

Multi-factor authentication (MFA) involves combining two or more different credentials — password, security token and biometric verification, for example — for access to a database or network. MFA makes it extremely difficult for hackers to compromise the security of computer networks because they must infiltrate multiple layers of defense, instead of just decoding one password. If hackers do succeed in guessing a password, they must still breach additional authentication types before they can reach their target.

Standard MFAs include entering one-time passwords on websites with authentication servers or swiping an ID card and then entering a PIN number, answering security questions or scanning fingerprints. One of the best benefits of using an MFA process is the long-term security it provides due to ensuring only individual account owners can access their login credentials. MFA also improves data access management by allowing immediate lock-out of terminated employees.

Yahoo and Target’s reputation — and stocks — sunk to new lows following their infamous security breaches. Don’t let that happen to your company. Beat the evil genius hackers at their own game by securing your company with single sign-on and multi-factor authentication provided by Optimal IdM. Contact us today to find out how you can have the last laugh when hackers discover your network is invulnerable to their tricks.

Tags

  • The database in which all of your organization’s sensitive identity data is stored.
  • A digital ledger in which digital transactions are recorded chronologically and publicly.
  • Securely managing customer identity and profile data, and controlling customer access to applications and services.
  • The means of linking a person's electronic identity and attributes, stored across multiple distinct identity management systems.
  • A legal framework that sets guidelines for the collection and processing of personal information of individuals within the EU.
  • The policy-based centralized orchestration of user identity management and access control.
  • An authentication infrastructure that is built, hosted and managed by a third-party service provider.
  • A security system that requires more than one method of authentication from independent categories of credentials to verify the user's identity for a login or other transaction.
  • A global provider of innovative and affordable identity access management solutions. 
  • Managing and auditing account and data access by privileged users.
  • Tools and technologies for controlling user access to critical information within an organization.
  • An authentication process that allows a user to access multiple applications with one set of login credentials.