Wednesday, July 27, 2016

Passwords: Robust or Not

            The single area that continues to contribute to breaches and/or other system errors (e.g. ransomware) are the users. The easier attack for this avenue has been the users. The easier attack for this avenue has been with phishing. The general format is the email from the employee’s “friend” or someone from “management” with various topics, including the person to click on the cat picture or a link.
Another form of attack involves passwords. These are intended to protect and secure the access to the application. To make the potential breach more difficult to achieve, one method is to have the users make their passwords more robust. Although this is a grand plan, this policy is not always followed. There are lists published annually showing the most commonly used passwords. These show the feeble passwords that are presently in use.  Recently there have been many high-profile instances of this. Most of these have resulted have resulted in significant losses to the entity and confidence. A less detrimental issue has been with Facebook CEO Mark Zuckerberg’s social media accounts being breached due to a weak password (dadada). Of all people this was substantially surprising. Other breaches with vast liability attached to the user’s password malfeasance are by far more common. For instance, the latest two large breaches would be the Anthem breach arising from several employee’s credentials being stolen, and the infamous Office of Personnel Management (OPM) breach from the contractor’s credentials. Earlier breaches which are notable are the Evernote issue with 50M credentials and Adobe’s with over 38M credentials being compromised.
The passwords need to be robust and crafted. This includes the length being at least 12 characters for the password’s composition, this needing to be varied, and to avoid patterns that could be easily understood after looking at the password briefly (e.g. a person walking by glancing at the screen should not be able to recognize this as a password).
The users need training or meeting to internalize a better appreciation of the process and what could happen with a poorly executed password.

Miel, LLC Infosec Managed Services & Consulting


810-701-5511

charlesparkerii@gmail.com

It is not about winning or losing, but reorienting yourself to the real problem-managing the risk across the enterprise.


Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)