We’ve all heard the warnings about password
security. Never share your password. Never use the vendor default
password (like Netgear1). Never use an easy-to-guess password (like Password123
or Mike1982). No matter what industry you work in, chances are, you’re
hearing more about these password “rules” at your job. Recent high-profile
security breach scandals, like the Target credit card information breach and
the Adobe hack, have more business owners and companies taking steps to ensure
that their network, and the sensitive information stored on it, is safe and
secure.
But while most people do their best to adhere
to their employers’ password security guidelines, many are still unsure of why
these password protocols are even effective. I recently worked with a large
online retailer to help them get up to speed on security protocols. One of the
questions asked in our initial meeting helped to give me some perspective on
how password security is still viewed by many people.
“I work in billing. I get that I shouldn’t
leave my passwords just lying around my desk, because a co-worker could use my
login. But I don’t understand how using a longer, more complicated password
(with a capital letter, numbers, etc.) would make any difference. No one could
guess my password. It seems like a waste of time.”
I dried a tear and explained that hackers are
always trying to get their hands on sensitive financial information; it’s what
they do. Understanding how they do it is key to understanding why complicated
passwords and more advanced security techniques like multi-factor
authentication are so important.
So, how do hackers go about stealing passwords
in order to infiltrate a network and gain access to sensitive information like
a client database, credit card information, and more? Today, there are three
common methods used to break into a password-protected system:
1. Brute Force Attack
A hacker uses a computer program or script to
try to log in with possible password combinations, usually starting with the
easiest-to-guess passwords. (So just think: if a hacker has a company list, he
or she can easily guess usernames. If even one of the users has a
“Password123”, he will quickly be able to get in.)
2. Dictionary Attack
A hacker uses a program or script to try to
login by cycling through combinations of common words. From http://en.wikipedia.org/wiki/Dictionary_attack Wikipedia:
“In contrast with a brute force attack, where
a large proportion key space is searched systematically, a dictionary attack
tries only those possibilities which are most likely to succeed, typically
derived from a list of words for example a dictionary (hence the phrase
dictionary attack). Generally, dictionary attacks succeed because many people
have a tendency to choose passwords which are short (7 characters or fewer),
such as single words found in dictionaries or simple, easily predicted
variations on words, such as appending a digit.”
3. Key Logger Attack
A hacker uses a program to track all of a
user’s keystrokes. So at the end of the day, everything the user has
typed—including their login IDs and passwords—have been recorded. A key logger
attack is different than a brute force or dictionary attack in many ways. Not
the least of which, the key logging program used is malware (or a full-blown
virus) that must first make it onto the user’s device (often the user is
tricked into downloading it by clicking on a link in an email). Key logger
attacks are also different because stronger passwords don’t provide much
protection against them, which is one reason that multi-factor authentication
(MFA) is becoming a must-have for all businesses and organizations.
With multi-factor authentication (also
called two-factor authentication, 2FA, and advanced authentication), a user is
required to not only provide a password to gain access to the system, but also
a another security “factor,” like a unique one-time access code generated from
a token device or secure mobile app on their smartphone. A network protected by
MFA is nearly impenetrable to an outside attack; even if a hacker is able to
attain a system password, he won’t be able to provide the needed second
security factor.
The use of MFA is growing rapidly. Facebook,
Google, PayPal now all offer MFA options. The security guidelines for many
agencies and industries (including HIPAA, PCI, and the FBI) require MFA for
anyone trying to log in off site.
If you’re looking for an MFA solution for your
organization, find out the answers to your questions in “12 Questions You Need
To Ask Your Multi-Factor Authentication Vendor.”
join us
facebook:http://adf.ly/1biS52
blogger:http://adf.ly/1biRxM
youtube:http://adf.ly/1biRbc
twitter:http://adf.ly/1bgfVg
instagram:http://adf.ly/1biS6S
reddit:http://adf.ly/1biS7z
google+:http://adf.ly/1biSD5
join us
facebook:http://adf.ly/1biS52
blogger:http://adf.ly/1biRxM
youtube:http://adf.ly/1biRbc
twitter:http://adf.ly/1bgfVg
instagram:http://adf.ly/1biS6S
reddit:http://adf.ly/1biS7z
google+:http://adf.ly/1biSD5
No comments:
Post a Comment