Why Password Management and Security Strategies Fall ShortResearchers say companies need to rethink their password training and take a more holistic approach to security.
Industry researchers have grown concerned that security pros are making it too easy for hackers to prey on people.
One says that companies need to make password management easier, while the other emphasizes a defense-in-depth approach that includes both technology and training, thereby putting less of a burden on humans.
David Jacoby, a senior security researcher at Kaspersky Lab, found in his firm's study that for less than $50, a criminal can buy a person's full digital identity. This includes personal data stolen from social media and bank accounts, gaming websites, and streaming media accounts.
Most of the data thefts are executed via spear-phishing or by exploiting security vulnerabilities in a Web application, Jacoby says. After a successful attack, the criminal will obtain a password dump, which contains a combination of email addresses and passwords for the hacked service. Because so many people use the same password for multiple accounts, attackers can also use this information to access accounts on other platforms.
"One of the big problems is that people tend to reuse passwords," Jacoby says. "I think we've not done a good job training users how to develop their passwords."
The industry, he says, stresses a technical solution, such as password managers, but the tools aren't always easy for people to use. While Jacoby does recommend using a password manager and better security software for those who can manage them, for most people the best passwords are phrases unique to them, followed by a punctuation mark, then a unique identifier, he says.
So multiple passwords could look something like this:
- Facebook: Ilikecars!friends
- Netflix: Ilikecars!movies
- PayPal: Ilikecars!money
By making their passwords unique and related to specific services, most people should be able to remember them, Jacoby says. He also recommends that people search a resource such as haveIbeenpwned.com to check whether sites they have accounts with have been compromised.
"If you do a search and find that one of your accounts has been hacked, don't panic,” Jacoby advises. "All you can do is move forward. Start by changing your passwords on the compromised sites, and slowly shift to either a password manager or the system I've recommended based on unique identifiers.”
Dylan Tweney, head of the research program at Valimail, adds that while more effective password management makes sense, too often security pros blame users for all their problems.
Tweney points to recent Valimail research, which found that when it came to detecting fraudulent emails, there was virtually no difference between the scores of those who received anti-phishing training compared with those who didn't. Out of 11 emails, those who received the training identified 4.98 and those who didn't spotted 4.97.
Valimail recommends a more balanced approach that includes training, email authentication, deploying secure email gateways, and making sure spam filters are current.
"The idea is to not make humans the front line of defense," Tweney explains. "By taking on a more defense-in-depth approach, the burden on the humans is less, so there's a better chance that when emails do get through, the users will be able to detect them because they won't be overwhelmed."
Black Hat Europe returns to London Dec 3-6 2018 with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.
Steve Zurier has more than 30 years of journalism and publishing experience, most of the last 24 of which were spent covering networking and security technology. Steve is based in Columbia, Md. View Full Bio