Every day we read about an incredible
number of successful attacks and data breaches that exploited leak of
authentication mechanisms practically in every sector. Often also
critical control system are exposed on line protected only by a weak
password, in many cases the default one of factory settings, wrong
behavior related to the human component and absence of input validation
makes many applications vulnerable to external attacks.
Today I desire to focus the attention of a report published by the consulting firm's Deloitte titled “Technology, Media & Telecommunications Predictions 2013”
that provide a series of technology predictions, including the outlook
for subscription TV services and enterprise social networks. The
document correctly express great concern of the improper use of
passwords that will continue also in 2013 being causes of many problems,
it must to be considered that value of the information protected by
passwords continues to grow attracting ill-intentioned.
The report focuses the need to reconsider password management processes
in the light of technological contexts that we will before Duncan
Stewart, Director of TMT Research, declared: "Passwords containing at
least eight characters, one number, mixed-case letters and
non-alphanumeric symbols were once believed to be robust,” “But these
can be easily cracked with the emergence of advance hardware and
software.”
“Moving to longer passwords or to truly random passwords is unlikely to work, since people just won't use them,” Stewart said.
“An eight character password chosen from all 94 characters available
on a standard keyboard33 is one of 6.1 quadrillion34
(6,095,689,385,410,816) possible combinations. It would take about a
year for a relatively fast 2011 desktop computer to try every variation.
Even gaining access to a credit card would not be worth the computing
time. However, a number of factors, related to human behavior and
changes in technology, have combined to render the ‘strong’ password
vulnerable.”
Using a brute force attack for an 8‑character password with a dedicated
password‑cracking machine employing readily available visualization
software and high‑powered graphics processing units is possible to
discover the password in only 5.5 hours. The cost of such machine is
about $30,000 today but as explained in the reports hackers could
obtained same computational capabilities from huge botnet.
Not only password length concerns the researchers, also the human factor
could expose password management process to serious risks, for example
humans never remind long and complex credentials, they tend to adopt
password easy to remember and related to their life experience, in many
cases the password is re-used and in the time across different services,
from movie on line store to banking account. The average user has 26
password‑protected accounts, but only five different passwords across
those accounts. According a recent study of six million actual user
generated passwords, the 10,000 most common passwords would have
accessed 98.1 percent of all accounts, an information that gives us an
idea of how much vulnerable the password management process.
“Once a hacker has a password, he or she can potentially have the keys to the cyber kingdom based on most consumers’ behavior.”
Deloitte Deloitte predicts that in 2013 more than 90% of user generated
passwords, even those considered strong by IT departments, will be
vulnerable to hacking with serious consequences, the company predict in
fact billions of dollars of losses, declining confidence in Internet
transactions and significant damage to the company reputations for the
victims of attacks.
The reports states:
“How do passwords get hacked? The problem is not that a hacker
discovers a username, goes to a login page and attempts to guess the
password. That wouldn’t work: most web sites freeze an account after a
limited number of unsuccessful attempts, not nearly enough to guess even
the weakest password. Most organizations keep usernames and passwords
in a master file. That file is hashed: a piece of software encrypts both
the username and password together. Nobody in the organization can see a
password in its unencrypted form. When there is an attempt to log in,
the web site hashes the login attempt in real time and determines if the
hashed result matches the one stored in the database for that username.
So far, so secure. However, master files are often stolen or leaked. A
hashed file is not immediately useful to a hacker, but various kinds of
software and hardware, discussed in this Prediction, can decrypt the
master file and at least some of the usernames and passwords. Decrypted
files are then sold, shared or exploited by hackers.”
As described another problem is related to use of passwords on various
platforms, let’s consider that the average user takes 4-5 seconds to
type a strong ten character password on a PC keyboard, time increases to
7-10 seconds on a mobile devices with a keyboard and to 7-30 seconds on
touchscreen devices. As consequence a quarter of the people surveyed
admitted to using less secure passwords on mobile devices to save time.
SplashData, which develops password management applications, reveals its Annual “25 Worst Passwords of the Year” enumerating the list of most common password chosen by users.
The three worst passwords haven’t changed respect previous year, they’re
“password”, “123456” and “12345678” and new passwords have been
introduced in the top list such as “welcome”, “jesus” and “ninja”.
Following the top ten list:
- password (unchanged)
- 123456 (unchanged)
- 12345678 (unchanged)
- abc123 (up 1)
- qwerty (down 1)
- monkey (unchanged)
- letmein (up 1)
- dragon (up 2)
- 111111 (up 3)
- baseball (up 1)
Have you ever used one of the most popular passwords of 2012 for your own personal accounts? Change it. What could improve password management, SSO systems for represent a good
solution to do it for example allowing in simplest way the use of long
or random passwords respecting the elementary best practices for
password management, of course also this system must be protected from
hacking attacks.
The implementation of multifactor authentication processes token based
(both software and hardware) represents the best compromise between
costs and security, that is also the way that security IT security
travels in the future.
0 komentar:
Posting Komentar