No Password Is Too Complex For Hackers

Uploaded on 2016-12-21 in TECHNOLOGY--Hackers, NEWS-News Analysis, FREE TO VIEW

Another huge data breach and another reason that the current password security system for business applications and websites is flawed. 

This time it was 412 million reasons, this being the number of accounts and user credentials that were exposed following the breach of FriendFinder Networks

According to LeakedSource, which acquired a copy of the leaked data set of the FriendFinder Networks breach, a million of the accounts have the password “123456” and more than 100,000 have the password, “password”. Despite people being continuously urged to be more diligent when it comes to password management, the issue is still being ignored and, in turn, breaches continue to happen.

Inconveniency of passwords

This is the latest in a long line of breaches that demonstrates the risks and consequences of using passwords as a means of authentication. Complex passwords are inconvenient, meaning users often avoid them in the first place or even store them or write them down elsewhere, offering more opportunity for them to be stolen. 

As a result, the password usability problem has worsened in recent years, so in order to maintain the stringent control necessary over the data that flows through organisation, IT leaders need to be adopting tools that address the major security issues at hand instead of continuing to operate under a system of increasing password adoption.   

It is shocking to see the number of people in the recent FriendFinder data breach that used the two most common passwords, ‘123456’ and ‘password’. 

Considering the number of data-breaches we have seen this year alone and the millions of people that have been affected (7 per cent of the global population reportedly affected in the Yahoo hack), even though a complex password is not going to stop the issue, picking the two most common and easily guessable passwords is absurd.    

However, it doesn’t matter what the password is, IT and security experts continue to advise on the importance of changing passwords, how often the password needs to be changed, and finally what constitutes a complex password. 

The common occurrence in all of the above solutions is that, the password. It doesn’t matter how many times a person changes or alters their password they still remain the issue. What’s needed is a change in mind-set towards security and to completely revise the entire concept of the password.  

Mass market for stolen data

Aggravating the issue even further is the fact that passwords sell for good money, meaning criminals have plenty of incentive to steal or crack them. 

Society has transitioned into digital and this has created a massive market for stolen data, subsequently sending security experts scrambling to put out fires, all the while pleading with users to make their passwords more secure, and never quite truly extinguishing the flames. 

Complex and hard to guess passwords alone are not enough as they still present risks, as it’s easier and less expensive than ever for cyber criminals to crack them. Even a standard desktop PC can try billions of password combinations every second, and password lists and password-cracking software is widely available.   

Passwords are fundamentally flawed, not only because they are often easy to guess and are easily hackable, but they are also expensive to maintain with between 20 and 50 per cent of help desk calls being for password resets according to Gartner. 

The New EU Data Protection Regulation comes into force in 2018, data breaches could lead to fines as high as €20m or up to 4 per cent – whichever is greater, of a company’s global turnover if there is a breach. 

The GDPR is a heavyweight piece of legislation that will require organisations across the board to put a stricter focus on the way they handle data. 

In light of this, the introduction of the GDPR should act as a wake-up call for organisations to take full control of their data and revaluate security systems that are no longer suitable, which, considering the number of data breaches we keep seeing, has to mean a upheaval of the traditional system.    

Passwords, in one form or another, have existed as a means of security for millennia. And for most of their history, they’ve worked as advertised. But as with all technology, it needs a refresh and this refresh is long overdue if you compare it to the speed of which everything else in this industry changes.

More secure pastures needed

In order to overcome the issues associated with passwords, organisations should look to other more secure pastures. Stop wasting time and money changing passwords, making them more complex and then suffering the inevitable embarrassment and potential huge fines after suffering a data breach. It’s time to disrupt the traditional concept of passwords as a means of authentication. We are all unique but a password is never unique. 

What’s needed is an approach that involves no passwords at all. By way of example, combining unhackable security tokens with the latest technologies means that no passwords are ever created, stored or transmitted.

ITProPortal:          Yahoo Hack Affects 1 Billion Accounts:
 

« What Happened To The Blockchain Revolution?
Online Con Tricks Senior Executives Out of Millions »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall And Why Does It Matter

ON-DEMAND WEBINAR: What Is A Next-Generation Firewall And Why Does It Matter

See how to use next-generation firewalls (NGFWs) and how they boost your security posture.

Jooble

Jooble

Jooble is a job search aggregator operating in 71 countries worldwide. We simplify the job search process by displaying active job ads from major job boards and career sites across the internet.

MIRACL

MIRACL

MIRACL provides the world’s only single step Multi-Factor Authentication (MFA) which can replace passwords on 100% of mobiles, desktops or even Smart TVs.

ManageEngine

ManageEngine

As the IT management division of Zoho Corporation, ManageEngine prioritizes flexible solutions that work for all businesses, regardless of size or budget.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

BruCON

BruCON

Brucon is Belgiums premium security and hacking conference.

CyberESI

CyberESI

CyberESI is a Managed Security Service Provider providing 24x7 remote security monitoring and management of your mission-critical networks.

CyberInt

CyberInt

CyberInt’s Managed Detection and Response services span globally and include some of the top finance, retail and telecommunication organizations.

Virsec Systems

Virsec Systems

Virsec detects and remediates previously “indefensible” advanced memory-based attacks on critical applications and server endpoints.

e-Crime Bureau

e-Crime Bureau

e-Crime Bureau is a specialized company offering cyber/computer forensics, cyber security consulting services, forensic audit and investigations services and training to clients across Africa.

Miratech

Miratech

Miratech is a global IT services and consulting organization offering a full range of IT infrastructure solutions and services including cyber security.

Keepnet Labs

Keepnet Labs

Keepnet Labs is a phishing defence platform that provides a holistic approach to people, processes and technology to reduce breaches and data loss and presents anti-phishing solutions.

PeckShield

PeckShield

PeckShield is a blockchain security company which aims to elevate the security, privacy, and usability of entire blockchain ecosystem by offering top-notch, industry-leading services and products.

Concentric

Concentric

Concentric Data Risk Monitoring and Protection. Deep Learning to discover, monitor and remediate risks to sensitive data on-premises and in the cloud.

InGuardians

InGuardians

InGuardians is an independent information security consulting firm specializing in penetration testing, threat hunting, and hardware hacking.

Beauceron Security

Beauceron Security

Beauceron's cloud-based platform gives employees a powerful personal cyber-risk coach empowering them to improve their cybersecurity practices and behaviours.

CyberCyte

CyberCyte

CyberCyte provides a disruptive built-in integrated physical, network and perimeter security solution framework.

R3I Ventures - House of DeepTech

R3I Ventures - House of DeepTech

The House of DeepTech is an incubator for deeptech entrepreneurs that are transforming global industries. Areas of interest include cybersecurity.

Catalogic Software

Catalogic Software

Catalogic helps clients backup, recover, manage, and protect their data across their enterprise and cloud environments with Smart Data Protection solutions.

OxCyber

OxCyber

OxCyber's mission is to ignite and encourage cybersecurity and technology growth in the Thames Valley through meetings, webinars, in person events, workshops and mentorship programs.

Systems Engineering

Systems Engineering

Systems Engineering is a SOC 2, Type 2-certified IT strategy and managed technology services provider.