Some security professionals apparently find it tough to maintain safe password practices outside of work, with 53% percent acknowledging that they either haven't changed their social network passwords in more than a year - or at all, according to a report released today by security firm Thycotic.
According to the survey of nearly 300 security professionals conducted at the RSA Conference in San Francisco in February, 33% of security pros say they have not changed their social network passwords in more than one year, and 20% have never changed their passwords. And on top of that, nearly 30% of survey participants rely on birthdays, addresses, pet names, and children names for their social network passwords, the survey found.
These practices run counter to the industry's often touted mantra of the need to frequently change passwords and make them complex as possible. Needless to say, failure to engage in these practices can potentially lead to cybercriminals not only infiltrating the social networks of security pros but also possibly social-engineering or phishing their way into their work accounts.
Although 45% of survey respondents believe that at least half of company-related cyberattacks involve privileged passwords, Joseph Carson, Thycotic's chief security scientist, tells Dark Reading he personally believes the figure is closer to 63% based on his digital forensics research and ethical hacking.
And of that 63% figure of all breaches involving privileged passwords, Carson estimates 30% come from IT administrators' passwords and 10% from someone with some responsibility in security.
"Although 10% may not seem like a high figure, the biggest cost to a company financially will be from this 10% because of the privileges they hold," Carson says. "The difference between a security breach and a security catastrophe comes down to the level of authorization that the person had."
Do What I Say, Not as I Do
To understand why security professionals don't always practice what they preach when it comes to protecting passwords outside of work requires some insight into the particular challenges they face.
Typically, security pros are aware of the potential dangers of single sign-on passwords and will have a separate password for each account they hold, both work-related and personal. In Carson's case, he has over 400 personal and work-related accounts where he uses a separate password.
In order to help him manage the hundreds of passwords, Carson says he uses password management tools like password vaults. But the vast majority of his fellow IT security professionals do not use such tools. He noted in a benchmark survey taken over a year ago with more than 1,000 security professionals that only 10% to 20% of survey participants indicated they used a password vault or other password management tools.
As a result, in some ways, it may not be so surprising that security professionals find it hard to maintain the same level of vigilance with their personal accounts as they perform with work-related accounts, he says.
"There are many known cases of data breaches from compromised credentials and passwords from security professionals resulting from malware and phishing scams delivered via social networks," Carson says.
Morey Haber, vice president of technology at security firm BeyondTrust, says he is not surprised by the findings in Thycotic's RSA survey.
"Most social media accounts require best practices for password complexity but falter when it comes to other security disciplines. For example, they fail to expire passwords after 90 days, require a reset, and allow browsers to ‘Remember Me’ for cached authentications for an infinite duration," Haber says. "Since these additional security controls are what most people rely on to reset passwords on a periodic basis, I can only assume the transparent approach makes even the best security professionals lax for social media account password changes. I can only hope they follow at least best practices for password reuse, and each social media account has a different password in case one is compromised."
He says while it’s rare for a breach of a security professional's account to be attributed as the primary attack vector, the likelihood of their account being compromised due to Pass-the-Hash or other hacking techniques is higher if they log into a compromised system, access from an unsecured remote location, or have legacy accounts that have never had their passwords changed. "The longer a password goes stale, the more likely it will be compromised," Haber says.
Ironically, 25% of the Thycotic survey respondents say that they will change their password at work only when the system alerts them. Such an attitude may attribute to the more than 3 billion user credentials and passwords that were stolen in 2016, according to the Thycotic and Cybersecurity Ventures' Password report.