Password Security: How To Protect Your Company From Hackers

In the light of recent privacy scandals surrounding PRISM and government snooping, how safe is your company’s data? Jack Bedell-Pearce, managing director at 4D Data Centres, reviews the issues and explains how password best practice can be your own worst enemy.

House burglaries tend to fall into one of two categories: those that are planned because the victim has something of value, and those that are opportunistic, perhaps because the victim left their backdoor open.

Companies that find themselves hacked are likely to have fallen into one of these two categories as well. What many don’t understand is that sometimes, even though they may not hold the personal details of millions of clients or store code to the latest blockbuster videogame, their company and its IT resources may be more valuable to criminals than they realise.

But here we’ll tackle opportunistic hackers, their motivations and methods.

Unfortunately, a typical hacker’s reasons for breaching a company’s security has less to do with a fixed goal and more to do with either prestige or boredom. For the same reason most people will probably pick up and read a document left on the train marked ‘Government – Top Secret’, some hackers can’t resist the temptation of companies that effectively leave the backdoor to their IT system wide open.

Beware overused passwords
The use of common passwords is one such ‘open door’ method regularly used. The premise is simple; a hacker either creates or hacks a website (maybe a forum) which at some point requires the user to register to gain access to information or post a comment. Our hapless victim, who for the purpose of this example is called Andrew and works for Andy-Corp, registers with the honeypot website. Dutifully, he gives his full name, work email address (andrew@andy-corp.com) and the password he always uses ‘p@55word1’. Armed with this information, the hacker now tries his luck with accessing Andrew’s work email.

Google does most of the hard work initially as the hacker searches “Andy-Corp OWA” (or Outlook Web Access) and it brings back the URL for the online version of Andy-Corp’s Exchange Email.

Finally, having accessed Andrew’s work email (thanks to the fact Andrew uses p@55word1 for everything) the hacker does a quick search for “how to log on to the VPN” which returns a very helpful step-by-step guide email from Andy-Corp’s IT department.

In fairness, this is one of the least sophisticated ways of hacking a company’s network, but it demonstrates one of the key flaws with passwords in general. Most ‘good’ passwords are actually difficult for people to remember, which is why they tend to use either the same or very similar variations across multiple platforms. Andrew may be clever enough to slightly vary his personal and work passwords, however if the difference between the two is ‘p@55word1’ and ‘p@55word9’ respectively, it’s going to take the hacker in question all of nine goes before he hits the proverbial jackpot.

Is best practice best?
Ironically, a company with stringent password policies can run into other issues, especially if they force users to change their passwords too often, or adopt strange combinations of numbers, caps letters and special characters. This was illustrated by online geek comic ‘xkcd’, where he considers two passwords: ‘Tr0ub4dour&3’ and ‘correcthorsebatterystaple’. Intuitively, the latter is much easier to crack, but in reality, if you were employing a computer to ‘brute force’ attack a password (i.e. guess it using random characters), the former would take 3 days to crack while the latter would take 550 years!

Aside from the 4.7% of users who still use ‘password’ as their password, most people either use dictionary words, sequences (654321), spatial patterns (qweasd), repeats (aaaaaaaa) or a combination of the above.

Tech savvy users will throw in capitalisation (usually the first letter), number (usually 1 at the end) or swap a letter for a symbol, otherwise known at l33t speak (0 for o, 3 for e, etc).

But as xkcd correctly surmised, these passwords are often easy for powerful PCs to crack and hard for humans to remember. Once again, because people are also creatures of habit, often their ultra-strong password (such as ‘s3cuReP@55w0rd’) is probably for their work VPN, PayPal account and Gmail account.

Despite all these complicated hacking methods, there is a much easier way to get someone’s master password. Just ask for it. Commonly known as ‘social engineering’, calling up your place of work and claiming to be the IT department, or just looking over the shoulder of someone typing in their password is still the most effective method for accessing a secure network. Post-it notes on monitors and underlined passwords in the backs of notebooks are also popular.

The solutions
So how do you combat this problem? Simple: use a completely unique, random, 20-digit password for every site you register with. Luckily, there are online password manager systems such as 1Password, KeePass and LastPass that not only manage the passwords for you, but also allow you to log onto sites in a single click.
And if you’re worried that someone could still steal your password manager password (which should be something memorable but long, such as ’correcthorsebatterystaple’) then you can always use multi-factor authentication, which is where you need to meet certain other criteria in order to log on, such as the correct IP Address, a fingerprint reader, a USB key (YubiKey), or smartpPhone (Google Authenticator).

My password advice for small business owners is:

  • If you run Active Directory or any internal network which requires a secure login setup security polices, force users to change their passwords regularly
  • If employees want to BYOD (Bring Your Own Device) to work, make sure they have secure logins and this is checked semi-annually
  • Introduce a password manager system and ensure unique/random passwords are used for all business critical logins
  • Educate your company on the dangers of social engineering (e.g. do not give out personal information or passwords, do not plug in random USB drives)

Finally, here’s an interesting test, which is the stronger of these two passwords?

  • G0d…………………
  • RyGyu.N(n2k57#L£eVrAfp9

Answer: The first one (G Zero d plus 21 dots) is 95 times harder to crack than the second one because it’s one character longer!

If you have any advice or queries, I’d love to read your comments below.

Source: businesszone.co.uk