Are weak passwords to blame for your data breach?

Since there has been a lot of ranting (not that it didn't need to be said), many write-ups, and Twitter traffic over the relevance of weak passwords in the last few days with respect to the big data breaches... I thought about it some and figured I would over-simplify and over-generalize... What resulted is this flow-chart, which I think sort of explains the role of weak passwords in some of the more prolific hacks of recent memory...

 

BadPassword_Flowchart.jpg

Comments
Eric Cowperthwaite(anon) | ‎01-04-2012 12:04 PM

Weak technical controls, poor log capabilities, systems with vulnerabilities that have been overlooked AND MOST IMPORTANTLY easily deceived employees do contribute greatly to all the major breaches that have occurred lately.

chort(anon) | ‎01-04-2012 12:28 PM

Are weak password responsible for the breaches? No, of course not.

 

Are passwords irrelevant? Absolutely not! If users of a breached website had weak passwords, those password hashes can be cracked. Since most users register for many sites with the same password (possibly even their bank!), this is a huge risk. If we're talking about a corporate network, the same idea applies. If an attacker can break password hashes due to weak passwords, they can easily reuse those credentials all over the network to perform lateral moves and evade detection/erradication.

 

You're correct to say that weak passwords didn't cause the breaches, but it's very dangerous to claim passwords are irrelevant.

BAMcHenry(anon) | ‎01-04-2012 03:45 PM

Passwords *are* irrelevant.  The blame lies with admins and developers who failed to augment their authentication systems with something better than an easily cracked password.  A 16-character password, regardless of "complexity" or "strength", is pretty easily cracked.

 

Why aren't more site-owners implementing any of the widely available and easy to implement forms of two-factor authentication?  It's a combination of laziness, poor priorities, and a false sense of security, among other factors.  

Christoffer Strömblad(anon) | ‎01-05-2012 02:53 AM
BAMcHenry(anon): You're missing the point that Rafal is trying to make. Passwords are irrelevant in the majority of data breaches that has happened recently. Weak passwords have not been exploited for the initial breach, they have been a consequence of the breach. Whether you implement a two-factor authentication system makes little or no difference since it has already been bypassed. People put waaay to much faith authentication to protect them from unauthorized access but gives bugger all about the quality of their application logic.
Rossmac2310(anon) | ‎01-05-2012 11:25 AM

Passwords are redundant.   They are difficult to remember and they are easy to steal/crack.   A new paradigm in identity security is needed once which reduces the cognitive load on the user ( the biggest weakness in this whole enterprise) and which eliminates decision-making by the site.   Please read my post on this subject - it is short and sweet.    http://rossmac2310.blogspot.com/

Robert P(anon) | ‎02-01-2012 08:16 AM

I am going to have to disagree with your concept that passwords are irrelevent. Coming from a world where I have dealt with whiny people who didn't want to be bothered with unlocking their phones after 10 minutes if idle time (and these were defense contractors too!) I have seen breaches in security due to lazy or no password policies.

 

While I can't say whom this was there was a time a few years ago a defense contractors server had a virus on it. When a did a lot more investigation I realized that the files had ben read and/or copied to a remote server in Russia. What these files were I am not sure; however, they were not something you wanted just anyone reading.The breach? A very weak and very simple password used to access the macine and domain he was on,

 

I agree that more sophisticated attacks are on the rise versus password cracks; however, to dismiss it as "Is this 1998" is ludicris and bad advice. People who think you can have a password like this:

 

%^JUito!21

 

Think they are secure; however, considering there are only 10 characters in the password it would be rather easy to crack with modern systems. A password like this:

 

1SeE1diot$0nTh3R0@d@lLD@y

 

Is 25 characters and even though this is easy for me to remember it could be adjusted like this:

 

1SeEIditSOnThERoaDAlLDaY

 

Which would still be harder to crack that the very first password we listed without the need for symbols that most people would forget. Occam's Razor always seems to come up when I think of things like this :)

 

 

Leave a Comment

We encourage you to share your comments on this post. Comments are moderated and will be reviewed
and posted as promptly as possible during regular business hours

To ensure your comment is published, be sure to follow the Community Guidelines.

Be sure to enter a unique name. You can't reuse a name that's already in use.
Be sure to enter a unique email address. You can't reuse an email address that's already in use.
Type the characters you see in the picture above.Type the words you hear.
Search
About the Author


Follow Us
Community Announcements
The opinions expressed above are the personal opinions of the authors, not of HP. By using this site, you accept the Terms of Use and Rules of Participation