Well, everyone wants to prove himself by working hard and so on but I didn’t mean that here. I meant how can you prove yourself literally?. How can we be sure that you are yourself?! If there’s somebody telling me “I’m Mr. John Doe”, probably I want him to prove it; maybe by showing me his national number identification card or something similar. But what about computers?
Since a long time passwords have been the most popular way for authentication and proving identity. Some new biometric techniques have evolved recently and have proven great accuracy and security. However, they are not used except in very sensitive places due to its high cost. According to a survey made by RSA Security and Nokia on different 505 large enterprises ; 66% of them relied on passwords to authenticate remote users. This survey leverages the importance of passwords and pushes security engineers to come up with password policies to ensure that the passwords are kept secured and uncompromised. On the other hand this seems to be like a very attractive target for black hats. A simple password compromised could mean a lot of money. And even worse, some hackers now once found a flaw in the system; could get in and cause chaos everywhere. Deleting files won’t be the worst nightmare. Sending false emails with inappropriate contents to the company’s clients is another form of fatal damage that could be caused. There's a great white paper i read recently in the reading room of sans.org named "Espionage – Utilizing Web 2.0, SSH Tunneling and a Trusted Insider" by A. Abdel-Aziz. It illustrates clearly that script kiddies are no longer the prevelant hackers.
Despite the obvious importance of keeping passwords secured and of course setting a password on everything private, a lot of people ignore this, claiming: “keep life simple”. Symantec recently have made a research concerning modern security threats . It indicated that more than 50% of households that have routers keep its default passwords unchanged! allowing black hats to wander around freely doing whatever they want and usually using your unsecured routers for their benefits (consider pharming).
On the business side, companies started to figure out the importance of having a password policy. A password policy is often part of an organization's official regulations and may be taught as part of security awareness training. These security policies are enforced by IT departments on the organizations’ employees to help keep the company’s data safe. On a random sample of 6,807 companies (in some survey in england) 49.7% of them enforced passwords more than 6 characters length and 36.7% more than 8 characters length. Also 51.2 % of these companies require both letters and characters in the password (e.g.: $4&@T).
This security awareness steps that the companies started to take towards more data security, are faced with the human nature. Non-IT employees still consider passwords of minor importance. Sticky notes, what a wonderful non-sophisticated non-electronic invention!!. A lot of employees tend to write down their passwords on sticky notes and stick it on their screens because the passwords themselves are hard to remember especially if they are alphanumeric characters with no meaning. Also another very bad habit is sharing passwords with other co-workers. In London, 66% of employee’s give their passwords to co-workers. However, the employee’s are somehow excused. The following pie chart shows the number of passwords that each employee has to memorize as part of his work
We can see that this is not a small number on average. Also a good security practice is to change the password every now and then which adds more burdens on employees to re-memorize new passwords whenever they are changed. Another survey on IT administrators was a question of “How often do you require users to change their passwords? “
The answer was ( for a sample of 529 Administrators) :
• 17% Every month (or more frequently)
• 18% Every two months
• 36% Every three months (or longer)
• 29% We do not require users to change their passwords at a specific interval
So Administrators are in a very tight situation here. The more they make the password easy the more it is easy to break. Black hat hackers use various techniques to crack passwords. Brute force password attacks are very common. However they rarely work. Dictionary attacks works very often but this type of attacks is avoided using non-meaningful passwords but as we said before this makes it hard to remember.
So WHAT ARE WE GONNA DO!!
to be continued ...
References that you might want to check:
Password Usage Survey, a study by SafeNet/Rainbow Technologies.
Information Security Survey, a study by Infosecurity Europe.
Password Practices Survey, a study by TechRepublic NetAdmin
No comments:
Post a Comment