Attacks/Breaches
3/18/2016
04:00 PM
50%
50%

Passwords Are Failing, Security Pros Say

New study shows half of IT security pros say passwords can't stand up to today's threats.

Passwords remain pervasive as an authentication method for many businesses and organizations, but poor password practices can backfire on security.

In a new report, 77% of security professionals believe passwords are becoming ineffective in securing their IT environments, and 53% say passwords within their organizations are vulnerable to modern hacking tools. The findings come from a survey of nearly 200 IT security professionals conducted by Lieberman Software last month during the RSA Conference 2016 held in San Francisco. 

The use of default passwords and sharing of the same password among team members are some of the factors leading to security breaches, the study says. More than one-third (36%) of respondents say their IT staff share passwords. 

“If the vast majority of respondents think passwords are failing, then it’s time to rethink how we’re using them. Attackers use automated methods to brute force credentials and gain privileged access to enterprise networks - often in a matter of minutes. Once they’re inside, they can nest there anonymously, biding their time until it’s opportune to strike," said Philip Lieberman, president and CEO of Lieberman Software.

Many organizations spend most of their security budget on conventional security tools, but these tools work effectively only against identified cyberthreats, and are not able to defend against new and advanced threats and attacks, the report says. Some 45% of IT security professionals think their organizations are not well-prepared for a cyberattack, and 55% have their end users change their passwords more regularly than IT changes its own administrative credentials.

See more detailed survey findings here

          

Dark Reading's Quick Hits delivers a brief synopsis and summary of the significance of breaking news events. For more information from the original source of the news item, please follow the link provided in this article. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
StuartM947
50%
50%
StuartM947,
User Rank: Apprentice
3/23/2016 | 1:05:33 PM
Re: ask the FBI
Passwords encrypted correctly is the ultimate solution. After 10 years in biometrics we realized thru testing that they are dangerous and always hackable. Fingerprints, iris, voice are all easily obtained and repeatable. A password is a true secret if protected properly. There will be a technology shortly that will prevent passwords from being stolen. True 2F authentication with encryption. We know perimter defenses don't solve the problem.
Whoopty
100%
0%
Whoopty,
User Rank: Ninja
3/21/2016 | 9:17:04 AM
Re: ask the FBI
I agree and that's also why the FBI vs Apple case is so important. Passwords are not great security for the most part, but as you say, if well implemented they do work quite well. However if security that makes brute forcing difficult is removed to aid an investigation, passwords may as well be redundant. 
macker490
100%
0%
macker490,
User Rank: Ninja
3/19/2016 | 7:30:46 AM
ask the FBI
if passwords are such a failure why is the FBI having trouble with that iPhone ?

the answer is: where passwords are properly administered: they are effective.

biometrics have a serious problem: once compromised: you can't change your id.

George Orwell taught us "The Great enemy of Clear Language, -- is insincerity" . and this applies in spades to the attack on passwords: the real objective is to destroy anonymity

 
Joe Stanganelli
100%
0%
Joe Stanganelli,
User Rank: Ninja
3/19/2016 | 6:53:55 AM
password policy
Rather than reinvent the wheel, we need to rethink password policy.

It's much more difficult for a dictionary attack to successfully brute force, say, "WhetherTisNoblerInTheMindToSufferTheSlingsAndArrows" than it is to brute force, say, "sHake$pear3_" (and also the first one is far more memorable) -- and yet most organizations discourage the former password and encourage the latter password.

There are also tricks you can use to keep your password memorable but still keep it less hackable (after all, hackers like low-hanging fruit).  It goes to training.

Multi-factor authentication isn't bad either -- but keyword = "MULTI."  Replacing passwords wholesale with something else (like biometrics) will just lead to problems.
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Five Emerging Security Threats - And What You Can Learn From Them
At Black Hat USA, researchers unveiled some nasty vulnerabilities. Is your organization ready?
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
Cybercrime has become a well-organized business, complete with job specialization, funding, and online customer service. Dark Reading editors speak to cybercrime experts on the evolution of the cybercrime economy and the nature of today's attackers.