Security of user passwords

How do users get access to company IT-resources? The most common way is to use a unique “digital ID” consisting of login and password. By the means of these credentials the user logs in to his workstation, works with corporate documents, carries on business correspondence via E-mail. Ideally nobody except the user being the company employee should have access to work with corporate resources. However the real situation differs.

Unfortunately even in top corporations IT-specialists treat to user credentials security irresponsibly setting password policy, which is not strong enough. Competent IT-specialists are aware that password policy mainly defines basic security level of access to IT-infrastructure resources. Password policy includes following parameters: minimum and maximum password length, its complexity and age and the number of passwords to be remembered. Password policy design using these parameters should be performed at the stage of Unified Underlying IT-infrastructure implementation. What occurs when password policy is not defined or is set incorrectly?

Short and simple passwords

One of the easiest ways for hackers to get access to company IT-resources is to get user’s password. How can they do that? The most popular way is brute force attack using dictionary composed in advance or by the means of special hardware. Contemporary graphics accelerators made by AMD and nVidia are able to perform brute force at the rate of dozens or even hundreds of thousands passwords per second! Therefore if your users use short passwords, then it is very easy to match such password. Brute force is simplified when password patterns are used instead of random character sets. Password patterns are names of family members, phone numbers, dates of birth, etc.

TrustWave company investigation particularly shows that the average user password length is 7-8 characters, in 20 per cent of cases children’s names are used as passwords; in 17 per cent of cases users type their pets’ names as passwords. Taking into account the mathematic limit of amount of such words it is obvious that complete brute forcing of these words will take very little time. It should seem that to enhance password security they should be more complicated, i.e. contain uppercase and lowercase letters, numbers and special symbols. However in this case 38 per cent of users manage to bypass password policy using simple and obvious words such as Password1 and Welcome1. In terms of IT-security a hacker having matched the password is equivalent to common user of the company. It is the main trouble in identifying such user during IT-security audit.

Not updated passwords

Top analytic companies (PasswordResearch, CSID , etc.) timely carry out investigations that allow estimating how often users change their password throughout a year. The obtained data is unfavorable – 44 per cent of users change their password only once a year and 8 per cent never change it. Thus in 44 per cent of cases if hackers have managed to get password of even one workstation by the means of special software or social engineering methods then during a whole year they can access critical business data, email messages, documents and files of the company and even use computers of company network to carry out cyber-attacks.

Human factor

We should concern human factor too. Even when company use strong password policy security of credentials is broken down by the carelessness of the company employees. They write down passwords on casual sheets of paper and store them just on the table or stick them to their monitors. Some employees tell the passwords to their co-workers by phone or send them textually in SMS. Hackers can easily intercept these passwords. This situation is illustrated by high-profile history that took place in 2011. Owing to the fault of Megafon and Yandex companies thousands of user accounts and passwords became public and available for anyone. In such case any outside person using this password can access important corporate information and apply it thereafter for his own interest which can be dishonorable.

You can enforce IT-infrastructure security together with ending the problem of “insecure” passwords using Access control and confidential data leak prevention system.