Looking at the list of 2016’s most common passwords, we couldn’t stop shaking our heads. Nearly 17 percent of people are safeguarding their accounts with “123456.” What really perplexed us is that so many website operators are not enforcing password security best practices.
Using external, public data sources we scoured 10 million passwords from data breaches that happened in 2016. A few things jumped out:
The list of most-frequently used passwords has changed little over the past few years.. That means that user education has limits. While it’s important for users to be aware of risks, a sizable minority are never going to take the time or effort to protect themselves. IT administrators and website operators must do the job for them.
Four of the top 10 passwords on the list – and seven of the top 15 – are six characters or shorter. This is stunning in light of the fact that,as we’ve reported, today’s brute-force cracking software and hardware can unscramble those passwords in seconds. Website operators that permit such flimsy protection are either reckless or lazy.
The presence of passwords like “1q2w3e4r” and “123qwe” indicates that some users attempt to use unpredictable patterns to secure passwords, but their efforts are weak at best. Dictionary-based password crackers know to look for sequential key variations. At best, it sets them back only a few seconds.
Email providers don’t appear to be working all that hard to prevent the use of their services for spam. Security expert Graham Cluleybelieves that the presence of seemingly random passwords such as “18atcskd2w” and “3rjs1la7qe” on the list indicates that bots use these codes over and over when they set up dummy accounts on public email services for spam and phishing attacks. Email providers could do everyone a favor by flagging this kind of repetition and reporting the guilty parties.
We can criticize all we want about the chronic failure of users to employ strong passwords. After all, it’s in the user’s best interests to do so. But the bigger responsibility lies with website owners who fail to enforce the most basic password complexity policies. It isn’t hard to do, but the list makes it clear that many still don’t bother.
Here are the results and additional analysis of the study:
Methodology and other notes:
This study included 10M passwords across a variety of data breaches that occurred in 2016 (Breaches that were announced in 2016, but actually occurred prior to 2016 were not considered for this study)
Outliers (passwords that only appeared in 1 breach) were not considered for this study
The password “mynoob” only occurred in two breaches, which were gaming-related sites
The speed of a successful brute force attack depends on processing power
Keeper is zero-knowledge and has no access to user data (therefore Keeper data was not used in this study)
The new year is the time for resolutions, and what better way to enhance your peace of mind than to resolve to improve security? Here are some life hacks – or strategies to manage your life more efficiently – that you can adopt to improve online security, safeguard your home and protect your personal information. All are free or cost only a nominal amount.
Adopt two-factor authentication
If you read this blog regularly, you know about the benefits of using two-factor authentication (2FA). Adding a second layer of protection via a challenge question, hardware device or code sent to your mobile phone improves security by orders of magnitude.
The number of online services that use 2FA is still abysmally low, but it’s growing. The crowdsourced Two Factor Auth list tells you which websites support 2FA and what tools they use. For those that are still stuck on simple password protection, there are links to Facebook, Twitter and email accounts you can use to encourage them to get on the ball. The transportation industry still has a lot of work to do.
See if you’ve been compromised
With online credential theft now nearly an everyday occurrence, you can never afford to be complacent. These four sites help you learn if you’re a victim.
Have I Been Pwned? is a database of nearly two billion credentials from more than 165 hacked websites and password files. Plug in your email address and find out if your username and password may be in play. The site won’t fix the problem, but at least you’ll know where you may be vulnerable.
BreachAlarm is a similar service that includes a subscription component to notify you immediately if your name shows up on a compromised list.
Sucuri is great if you own one or more websites. Plug in the URL and it’ll scan your site for malware and also check you against blacklists.
The Internet of Things Scanner checks your internet-connected devices against the Shodan IoT database. If your devices are there, they’re accessible to the public – and to criminals.
Change of habit
Do you use public Wi-Fi in a coffee shop or library? If so, there’s a good chance the connection isn’t secure and someone sharing the network can steal your keystrokes. At the very least, make sure you use the “public network” option when connecting, turn off sharing and enable your firewall. Here’s an excellent tutorial on how to stay safe on public Wi-Fi.
What would you do if your wallet and all your credit cards were lost or stolen? It takes hours to track down all those account numbers and call all those customer service numbers. Save yourself the hassle by scanning the front and back of each credit card and emailing the scans to yourself. Use the subject line to identify the credit card and you will never have a problem looking up the account or 800-number.
A Redditor suggests that you change the way you think about security challenge questions. It’s so easy these days for attackers to find out information about you that details like your mother’s maiden name or your high school mascot are no longer very effective. Instead, treat them as a second password by adding
numbers or gibberish letters that make your answers impossible to guess. Or choose a response that makes no sense as answer to the question. Was your first pet really named Hong Kong?
Create an email address on a public service like Gmail or Hotmail that you use just for filling out forms on sites you never want to hear from again. You can then create an email filter that sends all communication to that address directly to the a seperate folder or the trash. Or if you really never want to hear from the site again, use 10 Minute Mail to create a temporary, self-destructing email address.
Never store credit card numbers on e-commerce sites. The minor convenience you gain is more than offset by the risk of having the customer database hacked.
Protect your privacy
When was the last time you reviewed your privacy settings on social networks? Cybercriminals love social profiles because they serve up all kinds of information that can be used to hack online accounts and even tip off burglars when you’re not home. AdjustYourPrivacy.com has links to the privacy pages of most of the major social networks. It also shows you what the world sees when it looks at your public Facebook page. And it has a cool list of search engines that will show you what’s out there about about yourself.
Here’s a great idea from Reddit for how to find out who’s selling your information. When you fill out a web form, use the name of the website as your first or middle name. That way you’ll immediately know who’s responsible for spam or unwanted promotions.
How much do you love tele- and robotic marketers? We thought so. Ban them forever by signing up at Nomorobo. The service keeps a massive list of known telemarketing sources and automatically sends their calls to a voice message telling them to get lost. A single land-line is free.
Physical Security
If you’re going away on vacation for two weeks, don’t brag about it in public on Facebook. If you just can’t resist, at least review the post privacy settings to limit visibility to your close friends.
While you’re away, make sure your house looks lived in. Have your mail held and lawn mowed. Leave on a couple of lights and a TV or radio. Ask a neighbor to park a car in your driveway. Ex-burglars say that’s one of the most effective deterrents you can use.
If you want to really get fancy, trace the outline of a body on a large piece of cardboard. Cut it out and lean it against a chair or window. Close the blinds and it’ll look like you’ve got your own personal security guard.
Even if you don’t have a home security system, you should put up signs and stickers saying that you do (you can easily buy them online). You’ll make burglars think twice. Throw in a couple of “Beware of dog” signs while you’re at it.
If you visit Troy Hunt’s website –Have I Been Pwned.com – and read the often-voluminous posts on hisblog, you might think he has time for little else. But the sites are just a sideline for Hunt, an Australia-based Microsoft Regional Director and MVP whose primary business is training security professionals.
Have I Been Pwned is a free resource that people can use to find out if they have been put at risk due to a data breach. As of this writing, it includes authentication data from 166 compromised websites and nearly two million accounts. Type in your email address or username and find out if you’ve been a victim (the site stores no passwords).
Hunt launched the site after 153 million Adobe accounts were breached in late 2013. He noticed that the same accounts – and passwords – were showing up across multiple incidents. He began acquiring usernames of accounts that had been compromised so people could easily learn if they’d been victimized.
Have I Been Pwned gets tens of thousands of visitors each week, and Hunt’s mailing list is approaching one million names. He uses the insight he gains from the constant back-and-forth with visitors and contributors to improve his coursework and build his profile as a security expert. It’s working; Hunt has been quoted dozens of times in global media outlets, and his blog is a must-read for people who care about cyber attacks.
We caught up with him via Skype.
This site would appear to require a huge time commitment on your part. How do you fit it in with your day job?
It’s complementary to my main business of security training. Companies tell me their goal is not to end up on the website! The time commitment can be as much as a day each week, but I also get a lot of useful information. Recently, I got 75 notifications of new breaches in one day.
For example, I learned about abig data leak at the Red Cross Blood Service in Australia that was caused when someone inadvertently published information from a database on a public web server. The same week there was another incident with a major international brand having data exposed on a website because of a partner screw-up. This is the type of thing that comes in multiple times a day.
Why do people share this information with you?
They have all kinds of motivations. I get answers varying from exploiting the company to getting a leg up on a competitor to wanting to sell the data. Very often, no one thinks there’s anything wrong with what they’re doing. I want to tell them that they should go to their room and think about it a bit. They’ve got their hands on deeply personal information and they have no idea what that means.
Where do you get your source material?
It’s almost always someone sending me data. Some people send me dozens of files or a link to a folder with huge amounts of compromised data. Often that data is fake, so I troll through and try to verify it. Other times I get data that’s broadly redistributed – like theAshley Madison database.
Are you surprised by the reactions from companies that have been breached?
The most positive reaction I’ve seen was from the Australian Red Cross. I got an appreciative call from the CEO. That’s what I like to see: ethical disclosure.
Then there are folks like Nissan, which had a vulnerability in their API that let attackers take control of their vehicles. At first, Nissan didn’t want to hear about it. They only came around reluctantly.
What response do you get from people who use the site to see if they’ve been pwned?
It’s 99.99% positive. I’m careful about what data I expose. You can’t search the Ashley Madison list, for example. I’m also careful not to reveal email addresses or passwords.
What has running the site taught you about the state of password security?
That some woeful practices are the norm rather than the exception. People defer to the lowest common denominator of password strength. There’s a prevalence of the “123” passwords.
Also, surprisingly few companies use multi-step verification, even though it’s a great protection against credential theft.
What is your opinion of the various alternatives to password security?
Nothing is without trade-offs. There’s password-less login via email, but emails can be delayed. QR codes can be used for authentication, but that’s asking people to do something they’re unfamiliar with. Whenever we ask people to learn an entirely new method, it’s a problem.
I love biometrics, picture logins and PINs on Windows 10. All are great, but none of them remove the underlying weakness of the password.
What do you think are the most effective steps organizations can take right now to improve security?
Better training, particularly for software developers. While I obviously have a vested interest in saying that, systems are nearly always compromised by a flaw in a process. If you give developers the knowledge to write secure programs, they’ll use it for the rest of their careers. So why pay a penetration testing company $20,000 if developers are just going to make the same mistakes again?
If you address problems when the software is being written, you get a massive benefit across the lifecycle. We understand how SQL injection and cross-site scripting works, but we still create so much stuff that’s vulnerable. The problem is education.
What has been the most rewarding aspect of running this site?
A big one has been the messages I get from people who say they wouldn’t have known about their exposure without it. I’ve also learned an awful lot about how breaches happen and about scaling a service to tens of thousands of users. One of my objectives has been to run the whole thing for less than what I spend on coffee. Using Microsoft Azure, I’ve been able to build something at scale and do it cost-effectively.
What have been the biggest surprises?
That I’ve never had any legal threats [laughs]. I suppose that’s because I’m transparent. I jump on the phone with anyone who’s concerned. The volume of interest has been a surprise. I now have about 830,000 verified subscribers, and I expect that to be one million by Christmas.
The amount of interest from enterprises and commercial vendors has been surprising, such as security companies wanting to make the API part of a commercial service. I’ve done some of these deals to build leverage.
What has HaveIBeenPwned.com done to your visibility in the security community?
After a large incident, I often get up to a dozen press calls. I get a lot of offers to speak, many of which I have to decline. That said, I’ve had five international trips this year that involved speaking.
How do you manage to blog so prolifically?
I get up very early. I often blog when I have an itch to scratch, such as when I took my iPhone in for service and they wanted me to unlock it so they could work on it. Or it’s something that I just find fascinating. I’ve found that when I write about something, I understand it better. It’s part of my learning experience as well.
2016 will go down as yet another banner year – unfortunately – for hackers and data thieves globally. This article looks at some of the successful attacks while probing for patterns and trends in cybercrime.
Big target on the IoT: The Dyn DDoS attack. Our blog on cybercrimepredictions for 2017 forecasted increasing efforts of hackers exploiting fundamental weaknesses in the fast-growing Internet of Things (IoT) environment. For the first time in a major attack, hackers in the Dyn DDoS attack didn’t go directly at the servers of their target. Instead, they compromised some 100,000 IoT devices possessing weak default passwords, creating an enormous botnet, which then slammed the real target.Some evidence suggests the attackers were just firing a warning shot with this attack, as they could have compromised 500,000 devices just as easily. The obvious lesson here: Use the same password best practices on IoT devices as you would for any other digital device or endpoint. That means changing the default password to a strong, complex password.
Passwords, get your stolen passwords right here! Literally millions of stolen passwords went up for sale on thedark web this year, some of which were stolen in previous years. In May more than 400 million passwordsstolen previously from MySpace went up for sale to the highest bidder. What’s more, the same hacker who listed the MySpace passwords put another 100 million passwords up for sale that were previously stolen from LinkedIn. There is every reason to expect that stolen information will increasingly be put up for sale. These incidents highlight the great importance of frequently changing passwords and not reusing the same passwords for various accounts. Warnings to do so are coming fromall over the globe. As onemajor cybercrime study showed in 2016, 63% of successful data breaches involved weak, default or stolen passwords.
Life of the Party: The DNC hack. Considerable questions remain as to exactly who was behind the epic successful attack on the servers belonging to the Democratic National Committee. What is not in question is the damage done to the Democratic Party and to the reputations of a lot of political higher-ups. It is entirely possible the success of this attack and the apparent ease with which it was pulled off will only encourage more such geopolitical cybercrime. In fact, a couple of months after the DNC break-in, the FBIalerted officials in two states that hackers were targeting their election systems. The hackers were into the DNC computers for an entire year before they were discovered. Sophisticated phishing techniques were likely used to pry open the doors. The rest is history.
Simply shocking! Electrical grids in hackers’ crosshairs. As devastating as theattack on the Ukrainian power grid was, it may have been just the canary in the coal mine in terms of what is to come. The simple fact is that power grids around the world are extraordinarily ripe for cyber assaults, such as those in most all of Southeast Asia, where much of the computerized instrument control infrastructure is extremely vulnerable. The attack in the Ukraine was as sophisticated as it was brilliantly planned and executed. But a not-so-sophisticated phishing campaign using infected Word documents was all it took to put the whole mess in motion.
Yahoo times 500 million. The devastating attack on Yahoo happened two years ago, but the extent of the damage and actual revelation of the attack didn’t happen until 2016. It isn’t that Yahoo wasn’t aware that more than500 million records were compromised in the attack. The company just chose not to tell anyone about it, despite having been for sale for the last year. The important takeaway here is that it is likely governments in general and regulators too are going to double down on requirements of just what must be disclosed when a breach is detected, and when. Shareholders, consumers, suppliers and others feel they need protection when some of their data may have been compromised in a breach. The year ahead may well bring them some much-needed relief in this regard.
Hospitals: Pay up or else. Starting early in 2016 and continuing throughout the year, hackers conducted a series of successful ransomware attacks on hospitals throughout the world. The attacks typically began on a single server but then quickly infected the entire network, eventually affecting multiple systems. Demands at times were modest, as low as $1,600 for system restoration. Hospitals are relatively easy targets, often lacking layered security-centric protocols,according to some experts. Expect regulators to take a hard look at hospital security practices.
Threatpost breaks with the conventional wisdom that an information service funded by a technology company is inherently biased. The independent news site is owned by Kaspersky Labs, but its reputation as an authoritative, independent source of cyber security news has been endorsed by such leading news outlets as The New York Times, The Wall Street Journal, MSNBC, USA Today and National Public Radio. Hundreds of thousands security professionals regularly visit Threatpost for the latest breaking news.
Editor-in-Chief Mike Mimoso leads a small team of reporters who collectively turn out a huge volume of information. A veteran journalist with more than a decade of IT security news reporting, he was previously Editorial Director of the Security Media Group at TechTarget and Editor of Information Security magazine where he won numerous national and regional awards.
In this interview, Mimoso talks about Threatpost’s mission and the changes he’s seeing in the security landscape.
Who’s the target Threatpost reader?
Threatpost’s audience is pretty technical. We reach a lot of white-hat researchers, people working for vendors or independently, who spend their days looking for vulnerabilities in products and hopefully disclosing them so that issues can get fixed in a timely manner. IT and security managers read us, as do an increasing number of people focused on privacy.
What are the most important changes you’ve seen in the cyber security landscape over the last couple of years?
The rapid acceptance and understanding of the need to encrypt data and keep communication between businesses and individuals secure, even secret. The last few years have opened my eyes to the fact that encryption is about far more than keeping Amazon or PayPal or banking transactions safe. A lot of people around the world rely on encryption to communicate in locations where freedom is scarce. It’s encouraging to see how many of them have gravitated toward using encrypted technologies, particularly secure messaging apps.
Would you say we’re gaining or losing the battle against cyber attackers, and why?
I don’t think defenders will ever catch up to those people on the offensive side of security; they’re just in too reactive of a position. Hackers aren’t hamstrung by regulations, laws and oversight. They run freely because the law is woefully behind. International cooperation between law enforcement agencies has improved, but still has a long way to go.
What recent story alarmed you the most and why?
That would have to be the recent distributed denial of service (DDoS) attacks that were carried out using unsecured IoT devices. Who would have thought a DVR or closed-circuit camera connected to the Internet could be used to impact Internet service on the East Coast? But that’s exactly what happened, and I’m not sure how that situation is going to be addressed. Many of these IoT devices are out there with no authentication—or very weak authentication—and it’s child’s play for hackers to use them in this way.
What recent story gave you the most cause for hope?
A year ago, there was a lot of worry about theWassenaar Arrangement among researchers who look for bugs in products. The rules were about to be implemented in the U.S., and they would severely impact how vulnerability information was shared and whether bugs would get fixed at all. Many “nerdy” researchers stood up and turned into advocates to let people in charge know what a bad idea this was. And it worked. The rules have been up for revisions for months. It’s good to see people stand up and make a positive change.
What makes the computer security field different from other IT disciplines?
It’s such a moving target. Every day there is a new risk – from ransomware to gaping holes in long-standing open source software – and it’s difficult to prioritize investments and manage risk.
From a computer security standpoint, how do organizations most often shoot themselves in the foot?
By failing to keep up with the basics, like keeping operating system and third-party software patches up to date. We write about so many so-called “sophisticated” attacks, but the vast majority of successful hacks are against unpatched software that’s running across platforms.
What’s one big misperception people have about cyber security that you’d like to set straight?
The biggest misconception is that security is a hindrance to business. That attitude is starting to shift, I think, but there are plenty of places where security is a differentiator that actually makes a company more desirable to do business with
Threatpost is a top source of security news, but you must get your tips and ideas from somewhere. What are your best sources?
Security people have gravitated to Twitter, for better or worse. If you follow the right people on Twitter, you get a pretty accurate feel for what’s happening. There are a few good sub-Reddits that also share decent technical information.
What’s one big story or package of stories of which you’re most proud?
We did a lot of solid reporting earlier this year on the controversy about Apple and the FBI over the dead terrorist’s phone. There were a lot of implications to that story beyond the technical issues of accessing the device that we touched on while a lot of other outlets didn’t. Of late, ourcoverage of the IoT botnet DDoS attacks was pretty solid too.
The three people on your staff produce an enormous amount of news. How do you keep things straight between you?
We each have our strengths and complement each other well. Threatpost has been around since 2009 and it’s always had great internal support. Kaspersky has been smart enough to hire competent, well-regarded security journalists to keep the quality of content high.
Complete this sentence: I know it’s been a good day when…
We can post three or four well-reported stories that aren’t just a rehash of what’s been reported elsewhere. A lot of traffic helps too
It’s the holiday season, and at Keeper that means our thoughts turn to security. Actually they turn to security every other time of the year, too, but now is when we think about what we could give that’s a little different. If you’re a Keeper customer, you already have password security covered. Here are some items that can enhance your digital and physical well-being in other ways.
Think your credit cards are secure and your phone is safe just because you carry both around in your pocket? Cyber thieves laugh at your confidence. They long ago figured out how to read the magnetic stripes on your credit card while it’s still in your wallet. They can read the new chip-enabled cards now, too, with about $350 worth of electronics.
Many accessories are available to protect yourself, but we chose Silent Pockets because they’re available in a variety of sizes to protect credit cards, mobile devices and tablets from wireless, cellular, GPS, WiFi, Bluetooth, RFID, and NFC hackers. They’re kinda stylish, too. $12.99 – $219.99
Shredders are expensive, noisy and messy. Plus, why would you want to shred a whole file of documents just to protect the Social Security number on page 3? These rubber stamps let you blot out sensitive information instead of shredding. They use a specially crafted pattern that makes it impossible to see the information printed underneath. They’re cheap, portable and kinda mesmerizing when you stare too long at the pattern. $12.99
Satisfy your inner Hulk and keep your data safe at the same time. The Sledgehammer applies a “staggering 6,000 pounds of force to a conical punch causing catastrophic trauma to the hard drive chassis while destroying the internal platter.” We get the shivers just thinking about it. You can also use the Sledgehammer to remove inner metal hubs and springs on backup tapes prior to feeding them into a tape disintegrator, which is an item we’re definitely putting on our shopping list for next year. $1,038.00
Carrying credit cards in a wallet shoved into your back pocket is both dangerous for your personal privacy and potentially bad for your health (seriously, it’s called Piriformis Syndrome). So two guys used an overfunded Kickstarter campaign to develop this idea, which that we think is flat-out brilliant. Seriously, any idiot can lift a wallet out of your back pocket, but stealing from your belt buckle? That involves familiarity. Plus big belt buckles make you look like a bad-ass. The buckles use a tapered design that can hold up to five cards without risk of falling out, the company says Dozens of designs are available ranging in price from $39.95 to $94.95.
The developers of this innovative wearable raised £640,000 on a £20,000 ask, so we figure they’ve gotta be doing something right. And from looking at the feature list, we have to say they are. The design of this backpack cleverly hides the zippers against the wearer’s back, making it impossible for a thief even to find them, much less open them. It features a cut-proof, water-resistant material that also repels stains and spills. Three hidden pockets provide quick access to small items like credit cards and transit passes. Inside, the storage area is designed to accommodate a variety of high-tech gadgets. There’s even an external USB port for charging your smartphone on the go. The company says the design distributes weight optimally to make the backpack feel 20% lighter than conventional backpacks. $95
Okay, okay, the last thing the world needs is another flash drive, right? Especially a paltry little 16GB one. But the Cryptex is so cool looking that you might want to shell out the 48 bucks just to show off your inner steampunk. Inspired by Leonardo da Vinci designs, The Cryptex packs a pretty good security punch, too. It comes with a five-digit combination preset to a number that the user can’t change. With its leather strap, it’s a stylish, if somewhat 15th-century, fashion accessory. $47.95
If you’ve ever tried to use your smartphone or tablet while wearing gloves you know it’s, well, impossible. That’s because touchscreens use capacitive sensing, which requires the use of a conductive input mechanism. Skin is a conductor; wool is not. There are lots of gloves that you can use with your smart phone, but we like the Glider Gloves because of their excellent warmth and stylish look. The fingers are woven with a blend of nylon, acrylic, spandex and copper wire to give you excellent phone performance without the risk of frostbite. The company is based in Toronto, so they should know what they’re doing. $29.99
The problem with most home alarm systems is that they only tell you that your house is being burglarized after the burglar is inside. This gives you time to hide under the bed while your unwanted guest takes all your jewelry. How about an antitheft system that’s a little more…offensive? That’s the Burglar Blaster. Powered by eight C-cell batteries, it responds to an unwanted intruder by first sounding an alarm and then releasing four ounces of pepper spray at face level. The thief will then either flee the scene retching and screaming or come looking for the jerk who did this to him. Those are the risks you take. $595
Tech support people are notoriously shy, so here’s a way they can express themselves with the media they favor – cotton. This t-shirt is the perfect holiday gift for the frontline security technician who’s had enough bozos for one week. $7.99
Billed as the finest luxury safe in the world, The Fortress carries a VdS/EN V security rating, which is said to be the highest standard offered by Europe’s VdS Schadenverhütung GmbH certification agency. It can be connected to a burglar alarm and comes with $1 million in insurance coverage. Only 10 are made for each security class. It’s controlled by eight watch winders, providing an infinitely adjustable number of rotations. And if that isn’t enough, you can set the direction of the rotation to left, right or oscillating. What really got our attention, though, is the integrated humidor drawer. $128,800
With a new year just over the horizon, we asked six security experts for their views and opinions on what events and trends will unfold in 2017 in the cyber security space. These are people that have spent a great deal of time and energy on the front lines of the contemporary threat environment.
1) Cyber attacks and data breaches within small and medium-sized businesses (SMBs) will dramatically increase in 2017. SMBs need to invest in strong security defenses or risk going out of business. A study sponsored by Keeper Security and conducted by the Ponemon Institute titled, “2016 State of Cybersecurity in Small and Medium-Sized Businesses,” found that 55% of SMBs have experienced a cyber attack in the past 12 months. According to the U.S. National Cyber Security Alliance, 60% of small companies were unable to sustain their businesses more than six months following a cyber attack. A cyber attack costs a company $4 million, on average. With 71% of all cyber attacks targeting small businesses with fewer than 100 employees, it’s imperative that SMBs strengthen their defenses or risk going out of business.
-Darren Guccione is the CEO at Keeper Security, the leading secure password manager and digital vault for businesses and individuals
2) The death of passwords will once again be greatly exaggerated. I have always been fascinated by predictions of the year ahead and of the future. So my only prediction is that everyone who predicts the death of passwords next year will be wrong again, just like the past 10-15 years or so! One tip I have for next year is to write password policies that you can actually enforce and which are auditable. Otherwise, they are useless if a breach happens and you need to defend what you have in place. You cannot do that if you cannot audit it.
-Per Thorsheim is one of the world’s leading password consultants and founder of thePasswordCon twice-annual conference.
3) IoT has a big target on its back – watch for highly targeted attacks. As shown clearly by the bigDyn attack, the Internet of Things will fast become a major security concern in the year ahead. Many of these interconnected devices come with poor security, and attacks on them will result in new loss scenarios. The big loss issue of course is privacy. But with the IoT and all its home devices, medical devices, even home appliances, the different loss scenarios will include bodily injury and property damage. Liability lawyers will go after everyone associated with these breaches. This will include the manufacturer, and possibly even the person who is using the IoT device. Router makers could face exposure they never imagined.
The chief concerns regarding cybersecurity in the past several years have centered on privacy and ID theft. Going forward there will be greater probabilities of targeted attacks around network interruption and specific company systems because everything is so greatly interconnected. Think of a targeted attack on a key element of a global supply chain in a just-in-time manufacturing scenario, where all links in the supply chain are highly interdependent on one another. These attacks will be motivated by those seeking ransomware, as well as those just seeking to do a lot of damage – possibly working for competitors. We could see more environmentalist groups attacking oil and gas operations, possibly even the electrical grid. Imagine an animal rights group hacking into a commercial farming operation, compromising the security system, and turning all the pigs loose.
-Steve Bridges is SVP at the Cyber/E&O Practice atJLT, the world’s largest specialty insurance broker with a specific focus on cyber errors and omissions management liability
4) Exploiting workers via social engineering through their personal social media accounts at work. Social media seems harmless enough especially when your employees stick to using it for personal reasons. But it can indirectly be responsible for critical security breaches. With some social engineering and patience, an attacker can use persona social media profile information to gain access to your corporate network. The attack is completely outside of your control and uses a combination of social engineering and phishing techniques. It is fairly easy, asthis blog shows.
The best advice is to educate users on the dangers of social media and phishing emails. You can install software on our email servers that check attachments for malicious content. And some email administrators simply block all executable attachments.
-Terry Kurzynski is a security consultant atHalock, a U.S.-based information security consultancy.
5) We’ll see FIDO come front and center. The Fast IDentity Online Alliance (FIDO) is a non-profit organization formed four years ago to address the lack of interoperability among strong authentication devices as well as password problems users face. In 2017 we’ll see the beginning of theFIDO impact. This will include protocol improvements, as well as support across multiple platforms and devices. And this accordingly will challenge enterprises, governments, and end-users to explain why they aren’t adopting FIDO authentication or similar technology to replace or modify failing access controls.
-John Fontana is an Identity Evangelist atYubico, the creator of the YubiKey, a small USB and NFC hardware two-factor authentication device.
6) Is a full-scale cyberwar looming? My primary prediction for 2017 is the escalation of skirmishes like theinfamous hack of the Democratic National Committee to gradually escalate to an overt, international incident. While the term cyberwar is thrown around a lot, we’re seeing all the major signs and lead-ins to what will be the first major cyber clash between two or more world powers.
-Ben Caudill is founder and CEO of Seattle-basedRhino Security Labs, where he still does penetration testing as well as application security assessments.
Per Thorsheim, 45, has a self-described “insane” interest in passwords. As one of the world’s foremost security consultants focused solely on passwords, Thorsheim is the founder of PasswordsCon, the respected academic conference where international password security experts gather twice per year in Las Vegas and Europe. He spoke with us from his home in Bergen, Norway. What ignited this enthusiasm and passion you have for password technology? In 2001 I was working for PwC doing penetration testing on an office of a Fortune 100 company. We gained building access by wearing black suits and saying we were auditors. By 8:30 a.m. we got into the company system via a simple RJ45 Ethernet wall port. We quickly identified a list of all user account names in their entire domain and began trying to gain access to their accounts with two dummy passwords: the company name and ‘password’. One user of the ‘password’ password was a member of domain administration root in their Windows domain. Just like that, we had access to the entire company, a Fortune 100 company no less. That haunted me. The rest with me is history. With everything we know about the dangers of poor password practices, why is there so much bad password ‘hygiene’ today? It really is not difficult to get to a secure level of password practice, but there are real challenges getting there. Several years ago I was helping my mother, a retired nurse, with a computer problem on her work laptop. She told me her password and I was shocked as it was one of the easiest to hack. I asked her why she uses it and she said, “Because our system and the IT people at work accept it.” That is, it met their minimum standards. So when people blame end users for bad password practices, that is just wrong for the most part. Organizations need to look at their own policies and rules. So end users do what is easiest for them? Of course. They want to get their job done, right? Imagine if they have to change passwords every month and create multiple passwords that no one could possibly remember. Research in Sweden and Norway puts the number of passwords needed to access all different systems for people over 18 years old at 20-25 passwords! So password practices come down to a matter of usability. If it gets in the way of people getting their work done, of course they will default to the easiest practices available. Such as using the same password for multiple systems? Yes, but don’t necessarily believe all the statistics and research you read about that. I have done both anecdotal and online research into this matter. What I found is that users often think they are using the same password, say Wednesday1. But in fact use a variant to get into different systems, such as wednesday1 or WeDnEsDaY1. Would you say it is wrong to use the same password across multiple systems? No, not necessarily. I do it. But, I have also undertaken a risk analysis, which is really important for individuals and businesses to do. For example I have several systems here at home in Bergen. They are not interconnected and can only be hacked if someone actually comes to my house and takes them. However I know what is on them, and it isn’t worth taking, like a Linux test system I use. So you need to apply some intelligent risk analysis before you go off crying wolf about all passwords needing to be impossibly long and complicated and unique. That is stupidity and paranoia. On the other hand, with your passwords you have to pay close attention to any compliance or regulations that mandate certain password policies. Some of the things these regulations make you do might seem crazy and over the top. But if you go to court because you haven’t complied, that craziness is irrelevant. All that matters is that you didn’t do what you were told. Do you have general recommendations or a ‘wish list’ for password best practices? Many organizations have different password policies for different systems, with different password length requirements, different password change timeframes, and so on. I see no logical reason for this in most cases. Usability takes a hit as productivity drops and users make call after call to the helpdesk for password support. Implement one password policy across all systems and you’ll get a large productivity gain. Again, it isn’t the end users that are the problem here. It’s bad internal policies. The helpdesk is not the security department. To avoid repeated calls from users who forgot passwords, what will the helpdesk do? They’ll give them easy-to-remember passwords that happen to comply with the policy! Easy to remember means easy to hack. Anything else? Write policies that you can actually enforce and which are auditable. Otherwise, they are useless if a breach happens and you need to defend what you have in place. You cannot do that if you cannot audit it. So you have a policy that says ‘don’t use the same password on multiple systems.” Great. But can you enforce that? Can you measure its effectiveness? No!** Think things through. Planning and common sense will go a long way.
**Footnote from Keeper: Keeper Business provides auditing capabilities to see which employees are using the same password across multiple systems.
What do the words and advice of a former, highly successful CEO of IBM have in common with sound password management? The answer is surprising.
Lou Gerstner, who propelled IBM to nearly 10 years of non-stop growth and prosperity, hasa poignant message for top executives at all companies. When it comes to establishing corporate culture, look at what your actions tell your employees.
As Gerstner says, “People do not do what you expect, but what you inspect.” In other words, senior execs have to walk the walk and talk the talk to get others to follow.
That is certainly the case when it comes to password management. One high-level security consultant tells a story of a recent engagement with a company on which he performed a security audit. The audit uncovered several major security flaws, including poor password management. The consultant was to present the findings to the senior staff, not one day after its CEO had delivered a presentation at a local security conference. All senior staff were present – except for the CEO, who gave no reason for his absence.
“So what’s the message here to the rest of the company execs,” the consultant asks? “It wasn’t a message you’d want the rest of the employees to embrace regarding security!”
Brian Sprang is CIO at Quest Federal Credit Union, where employees have registered a 97% adoption rate for their comprehensive password management solution. Speaking of Quest’s senior managers, Sprang says, “They are proponents of the use of good password security and the tools we’ve provided. All of our executives have been vocal in the use of the tool and understand the vital importance of password security to our daily duties to protect our assets and member personally identifiable financial information.”
So just what should be the role of the top executives with respect to password management? It should be something like this.
Be the chief torchbearer of the message that password security is not an IT problem.
A broad belief that IT will ‘take care of all security’ flies in the face of overwhelming evidence that people, not technology, are the front line of defense against cyber attacks. Whether it is through memos, live at company meetings, via Webcasting or other means, top executives must articulate that password security is the responsibility of each individual. That is the kind of message that conveys both responsibility as well as accountability.
Actively practice what you preach.
As a senior executive, demonstrate your ‘street cred’ when it comes to password security by articulating the steps you have taken to ensure your password isn’t compromised. The simpler the message the better, because password management today isn’t complicated. Let it be known you don’t use the same password for multiple accounts, and that you leverage a password management solution to routinely change passwords.
Stress the value of continuing education about password protection.
As with all cyber security measures, executives should personally issue calls to action encouraging continuing education and training about password security. While these sessions can be led by IT, they don’t have to be. In fact the impact of a training Webcast led by the senior executive can be very effective in elevating employee awareness of the need for password protection. As Sprang notes of the efforts of Quest’s executive team to continuously promote better password management, “I’ve relayed the reports and findings to staff members in my training documents and all staff meeting notes and highlighted the issues regarding weak password and poor password security habits.”
Arm yourself with statistics and knowledge of the cyber security environment.
These training sessions above are great places to talk about recent cyber attacks and their corresponding negative impact on the organization. Most individuals read about the headlines of major attacks against mega-organizations. But with the help of research, such asthis excellent report specifically about the cyber security challenge in the SMB, crime statistics and the impact of cybercrime become a lot more personal. As you will see, this unique report details that passwords are widely held to be an essential piece of the security puzzle. But at the same time, the report shows that 60% of SMB employees use the same password for everything! Snippets such as these doled out by senior executives can be very compelling. At Quest, Sprang says, “I have stressed the use of unique, non-repeating, highly randomized, and maximum length passwords as vital to our security and our member data security.”
If cyber security is mission critical – and it is – then creating a culture of information security is among the most important roles executives can fulfill. And there is no substitution for leading by clear, unambiguous example.
Dr. Michael Pound’s current research focuses on image analysis for phenotyping crops, but you don’t have to be an expert in agriculture – or even computer science – to be frightened by thisComputerphile video in which Pound demonstrates a deep-learning server called Beast at the University of Nottingham. Beast uses four parallel graphics processing units to test 10 billion hashes per second in a brute-force password crack using thehashcat password recovery utility.
In the first 15 minutes, Dr. Pound cracks nearly 30 percent of the entries in a 6,000-password list. He then uses a dictionary attack to reveal nearly half of the passwords in another file. And a computer like Beast costs about as much to build as a standard business server.
We contacted Dr. Pound, who is a computer science researcher and professor at the University of Nottingham, to get his insights on password vulnerability and what security administrators can do to better shore up their defenses. He was generous with his advice.
How did you get interested in this topic in the first place? It seems somewhat tangential to your principal areas of focus.
Like many computer scientists, I find security inherently interesting. In this case, I was asked to teach the core security module at the university, which meant I had to thoroughly explore the area first. I’m continuing to teach this course, so I continue to keep up with modern security concerns as much as possible.
What are the most important messages you hope viewers will take away from the video?
My hope is that people who have assumed that an attack won’t happen to them might take some notice after seeing just how easy password cracking is. I’m not necessarily an expert in password cracking tools, and yet I was able to break half of the passwords in the file within a few minutes. This tells us something about the kind of passwords people use, and about how much work we need to do to educate people on this issue.
The machine you used is powerful, but hardly supercomputer capacity. How much faster could password cracking computers theoretically be?
The only limit is your finances. I think a small cluster of computers could operate perhaps 10 times faster than our server. Then nine characters may no longer be enough. Luckily for us, it’s unlikely that the criminals would bother with this kind of expenditure. There are so many ways to crack passwords even with slow machines that their time is better spent with the most vulnerable passwords, rather than trying to crack that last 25%.
Having looked at thousands of passwords in your research, what do you see as some of the most common mistakes people make?
People make the same mistakes over and over. Aside from the obvious ones, like using your own name or common words, the ways people usually attempt to make a password more secure often offers little improvement. If they add a number, it’s usually a couple of digits at the end. Or they perform a common substitution, like replacing “I” with “1.” The same is true of symbols. Common substitutions like “@” for “a” and “$” for “s” are easily broken, yet people do that because it’s easy to remember.
You called the Rockyou list a “game-changer.” Why do you believe that’s the case?
Prior to Rockyou, attackers had intuition about the kinds of passwords people used, but still had to generate the lists themselves. Usually they’d use common dictionary words with a few rules applied. Rockyou’s list had millions of actual passwords, which can be adapted into millions more through rules changes. The number of possible password guesses that can be generated from this list is massive, and as some of the Rockyou passwords are complex, they lead to the cracking of previously “unbreakable” passwords.
The Yahoo hack is reported to have encompassed nearly half a billion passwords. Do you anticipate any fallout when that list makes it onto the Dark Web?
That would be very worrying. Rockyou may prove to have been more of an incremental change, but a half billion new passwords will allow hackers to break almost anything that doesn’t follow strict security guidelines about length and derivation. The onus will be on users to secure passwords better than ever, and on organizations to apply the best hashing algorithms.
You were pointed in your remarks about the weaknesses of the MD5 hash algorithm. What do you believe is an alternative that provides a baseline of good security?
Most modern hashing algorithms produce hashes of sufficient length to avoid naturally occurring collisions. However, as we saw in the video, we’re not waiting for these collisions to happen naturally; rather, we’re making educated guesses. An important aspect of a modern hashing function is the speed at which we can use it.PBKDF2 will perform multiple rounds of hashing using a hash function likeSHA-256, so as long as the number of rounds is high enough, cracking becomes much more impractical. Other algorithms, likebcrypt, are specifically designed to be a pain to exploit on the GPU, slowing them further. The best advice I can give is to pick a hash function of suitable length and difficulty, then repeat it as many times as possible.
What do you believe is the current minimum safe length for a secure password made up of random characters? Given what you know about the rate of advance in computer technology, what do you think the minimum safe length will be five years from now?
If your password is completely random, and includes symbols, nine characters is probably a safe position to start. Dictionary attacks aren’t effective against random passwords. A brute-force attack might get lucky at nine characters, but it’s not likely. Luckily for us, the difficulty of brute-forcing a password increases exponentially, so while nine characters might be feasible to crack in five years, 10 definitely won’t be. The vast majority of my random passwords are 12 and 16 characters long, and I use a password manager to make sure I keep track of them.
Why are dictionary cracks more effective than brute force cracks?
Since people often don’t use truly random passwords, dictionary attacks can be brutally effective. While a brute-force attack becomes challenging at eight characters – and impossible at 10 – no such restriction affects dictionary attacks. If your password comprises smaller parts, each of which happens to appear in the dictionary, it could be cracked even at 20 characters or more. As always, avoiding common words and digit combinations can help a lot here.
It’s been said that quantum computers will be able to crack 512-bit encryption algorithms in seconds. Once those machines are commercially available, will passwords even be viable anymore?
Luckily for us, and perhaps counter-intuitively, many hashing algorithms can stand up to quantum attacks. Quantum computers aren’t simply computers that run very fast; they have a unique architecture. While they are capable of quickly solving problems like integer factorization, which lies at the heart of RSA encryption, they can’t cycle through bcrypt hashes much faster than a modern machine can.
This is good news, but your system is only as secure as its weakest link. If your key exchange and encryption algorithms are compromised, then the security of your password in transit is lost. Researchers are focusing their efforts on “post-quantum” cryptography, in an attempt to move towards algorithms that resist this new technology.
Any other advice for security administrators?
I would advise administrators to begin moving away from the old security models that force users into large character sets and frequent password changes. A better approach is to educate users in the use of random and unique passwords, and provide them with access to password management software to help them. If a company enforced the use of password management software for all employees, I’d guess that we’d find the instances of weak and forgotten passwords would decrease significantly.
