Passwords an Overlooked Security Strategy
Despite spending major amounts of money to secure data and applications, organizations that rely on electronic media are missing the boat when it comes to the most important aspect of network security. Poor use and choice of password is one of the chief headaches for the IT sector. Password hacking is a growing industry.
In some countries, like Russia and China, hacking passwords is a business. Hackers get through the defenses of businesses that collect and store critical personal information. They gain access to bank accounts, credit cards, and other sensitive personal information and exploit it either personally or sell it to someone else.
"In 2011, one of the most notable trends was the targeting of customer records; 89% of attacks were focused on obtaining personally identifiable information, credit card data and other customer data," states the Trustwave 2012 Global Security Report.
But part of the problem inherent in network security is the sheer number of access codes the average person needs to keep up with. Randy Nash writes at Net Security, "As our society becomes increasingly wired we need to remember an increasingly large number of accounts, PINs, and passwords. I have at least 7 different email accounts, multiple network account/password pairs, building access codes, and bank PINs. Then there are my many various web access accounts."
Most users base their login on easy-to-remember information, which cuts down on the number of sign-on codes a person has to keep track of. Setting a personal access code to be a pet's name, spouse, or a combination of name and birthday or other important anniversary is very common too. It's just easier to remember.
Unfortunately, easy to remember also means easy to hack. The information that such access codes are based on is easy to find on the Internet these days, thanks to websites like Zabasearch.com. Furthermore, with more people sharing intimate details on social media websites, obtaining personal access codes based on personal information merely requires a little time and patience.
Some commonly used code words are not based on personal information; but because they are common, hacking them is still easy. In a report on sign-on hacking, ZDNet reveals just how easy this can be: "[I]n many cases, thanks to lax or well-known default passwords, companies made it relatively easy for hackers and attackers to break in, and they didn't even need to use sophisticated methods of attack." In fact, the secret code most widely used across the sites studied by Trustwave was "Password1."
It doesn't matter how secure the firewall is or how locked down the systems are if the code to access everything is "123456789." If that's your personal access code, or some variation of it, you are not alone.
This post was written as part of the IBM for Midsize Business program, which provides midsize businesses with the tools, expertise and solutions they need to become engines of a smarter planet. Become a fan of the program on Facebook. Follow us on Twitter.