Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations //

Identity & Access Management

11/7/2018
02:00 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Why Password Management and Security Strategies Fall Short

Researchers say companies need to rethink their password training and take a more holistic approach to security.

Industry researchers have grown concerned that security pros are making it too easy for hackers to prey on people.

One says that companies need to make password management easier, while the other emphasizes a defense-in-depth approach that includes both technology and training, thereby putting less of a burden on humans.

David Jacoby, a senior security researcher at Kaspersky Lab, found in his firm's study that for less than $50, a criminal can buy a person's full digital identity. This includes personal data stolen from social media and bank accounts, gaming websites, and streaming media accounts.

Most of the data thefts are executed via spear-phishing or by exploiting security vulnerabilities in a Web application, Jacoby says. After a successful attack, the criminal will obtain a password dump, which contains a combination of email addresses and passwords for the hacked service. Because so many people use the same password for multiple accounts, attackers can also use this information to access accounts on other platforms.

"One of the big problems is that people tend to reuse passwords," Jacoby says. "I think we've not done a good job training users how to develop their passwords."

The industry, he says, stresses a technical solution, such as password managers, but the tools aren't always easy for people to use. While Jacoby does recommend using a password manager and better security software for those who can manage them, for most people the best passwords are phrases unique to them, followed by a punctuation mark, then a unique identifier, he says.

So multiple passwords could look something like this:

  • Facebook: Ilikecars!friends
  • Netflix: Ilikecars!movies
  • PayPal: Ilikecars!money

By making their passwords unique and related to specific services, most people should be able to remember them, Jacoby says. He also recommends that people search a resource such as haveIbeenpwned.com to check whether sites they have accounts with have been compromised.

"If you do a search and find that one of your accounts has been hacked, don't panic,” Jacoby advises. "All you can do is move forward. Start by changing your passwords on the compromised sites, and slowly shift to either a password manager or the system I've recommended based on unique identifiers.”

Dylan Tweney, head of the research program at Valimail, adds that while more effective password management makes sense, too often security pros blame users for all their problems.

Tweney points to recent Valimail research, which found that when it came to detecting fraudulent emails, there was virtually no difference between the scores of those who received anti-phishing training compared with those who didn't. Out of 11 emails, those who received the training identified 4.98 and those who didn't spotted 4.97.

Valimail recommends a more balanced approach that includes training, email authentication, deploying secure email gateways, and making sure spam filters are current.

"The idea is to not make humans the front line of defense," Tweney explains. "By taking on a more defense-in-depth approach, the burden on the humans is less, so there's a better chance that when emails do get through, the users will be able to detect them because they won't be overwhelmed."

Related Content:

 

Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
hucklesinthedark
50%
50%
hucklesinthedark,
User Rank: Author
11/8/2018 | 10:21:44 PM
Technical Failures
I like to say that if a user is able to violate an information security policy, be it accidentally or purposefully, then there was a technical control that either failed or was missing entirely. Users shouldn't technically be capable of violating policy. Granted, I say this in partial jest sometimes, but there is also some seriousness to it. Relying on fallible humans will inevitably result in failures. So when you say that the idea is to NOT make humans the front line of defense, I whole-heartedly support that.
Why Cyber-Risk Is a C-Suite Issue
Marc Wilczek, Digital Strategist & CIO Advisor,  11/12/2019
Black Hat Q&A: Hacking a '90s Sports Car
Black Hat Staff, ,  11/7/2019
The Cold Truth about Cyber Insurance
Chris Kennedy, CISO & VP Customer Success, AttackIQ,  11/7/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-16863
PUBLISHED: 2019-11-14
STMicroelectronics ST33TPHF2ESPI TPM devices before 2019-09-12 allow attackers to extract the ECDSA private key via a side-channel timing attack because ECDSA scalar multiplication is mishandled, aka TPM-FAIL.
CVE-2019-18949
PUBLISHED: 2019-11-14
SnowHaze before 2.6.6 is sometimes too late to honor a per-site JavaScript blocking setting, which leads to unintended JavaScript execution via a chain of webpage redirections targeted to the user's browser configuration.
CVE-2011-1930
PUBLISHED: 2019-11-14
In klibc 1.5.20 and 1.5.21, the DHCP options written by ipconfig to /tmp/net-$DEVICE.conf are not properly escaped. This may allow a remote attacker to send a specially crafted DHCP reply which could execute arbitrary code with the privileges of any process which sources DHCP options.
CVE-2011-1145
PUBLISHED: 2019-11-14
The SQLDriverConnect() function in unixODBC before 2.2.14p2 have a possible buffer overflow condition when specifying a large value for SAVEFILE parameter in the connection string.
CVE-2011-1488
PUBLISHED: 2019-11-14
A memory leak in rsyslog before 5.7.6 was found in the way deamon processed log messages are logged when $RepeatedMsgReduction was enabled. A local attacker could use this flaw to cause a denial of the rsyslogd daemon service by crashing the service via a sequence of repeated log messages sent withi...