-
Discussion Boards
- Welcome to the Community
- 1 categories, 6 boards
- Desktops and Workstations
- 1 categories, 12 boards
- Mobile
- 7 boards
- Networking
- 6 categories, 20 boards
- Operating Systems
- 7 categories, 76 boards
- Printing and Digital Imaging
- 1 categories, 17 boards
- Partner Solutions
- 2 categories, 5 boards
- HP ExpertONE
- 4 boards
- Solutions
- 1 boards
-
BlogsEnglish
turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
- Community Home
- >
- Software
- >
- Enterprise Security
- >
- Following the White Rabbit - Security & Risk through a new looking glass
- >
- Are weak passwords to blame for your data breach?
Article Options
- Subscribe to RSS Feed
- Mark as New
- Mark as Read
- Bookmark
- Subscribe
- Email to a Friend
- Printer Friendly Page
- Report Inappropriate Content
Are weak passwords to blame for your data breach?
Since there has been a lot of ranting (not that it didn't need to be said), many write-ups, and Twitter traffic over the relevance of weak passwords in the last few days with respect to the big data breaches... I thought about it some and figured I would over-simplify and over-generalize... What resulted is this flow-chart, which I think sort of explains the role of weak passwords in some of the more prolific hacks of recent memory...
Labels:
data breach|
incident
Labels:
Comments
chort(anon)
|
01-04-2012
12:28 PM
Options
- Mark as Read
- Mark as New
- Bookmark
- Highlight
- Email to a Friend
- Report Inappropriate Content
Are weak password responsible for the breaches? No, of course not.
Are passwords irrelevant? Absolutely not! If users of a breached website had weak passwords, those password hashes can be cracked. Since most users register for many sites with the same password (possibly even their bank!), this is a huge risk. If we're talking about a corporate network, the same idea applies. If an attacker can break password hashes due to weak passwords, they can easily reuse those credentials all over the network to perform lateral moves and evade detection/erradication.
You're correct to say that weak passwords didn't cause the breaches, but it's very dangerous to claim passwords are irrelevant.
Follow Us
-
-
Follow Us on Facebook
-
Follow Us on Twitter
-
Follow Us on LinkedIn
-
Follow Us on Flickr
-
Follow Us on Youtube
-
Follow Us on SlideShare
-
Follow Us on Google+
Community Announcements
Latest Articles
- The [Hidden] Cost of Software Security Fixes in En...
- HP ShadowLabs deepens the talent pool
- Melville's "Bartleby the Scrivener" and what it te...
- Let's talk business agility (Survey analysis)
- Root Cause Analysis (RCA) - a critical skill
-
Logging: Opening Pandora's Box - Part 4 (Awareness
... -
Logging: Opening Pandora's Box - Part 3 (Paralysis
... - Why does software security keep falling off your b...
- Keeping Security Relevant - From Control to Govern...
- Logging: Opening Pandora's Box - Part 2 (Elation)
Latest Comments
- John Kozlowski(anon) on: Let's talk business agility (Survey analysis)
- todd mahnom(anon) on: Root Cause Analysis (RCA) - a critical skill
- DeeLima2(anon) on: Why does software security keep falling off your b...
- Olivier Saudan(anon) on: Keeping Security Relevant - From Control to Govern...
- Clerkendweller on: Logging: Opening Pandora's Box - Part 2 (Elation)
- reswob10(anon) on: Logging: Opening Pandora's Box - Part 1 (Anxiety)
-
Neira Jones(anon)
on:
NoOps and the Evolving Role of Informatio
n Securit... -
cpfoutz(anon)
on:
Missing Opportunit
ies - Making things worse by ask... - Sidragon(anon) on: Cyber Weapons - Bits instead of bullets but damage...
- Phil Cox(anon) on: Patch Management in the Cloud - It's About Consist...
Labels
-
0day
(2) -
2009 prediction
(1) -
30_in_30
(30) -
academia
(1) -
academic hack
(1) -
administrivia
(1) -
adware
(1) -
Agile
(1) -
Agility
(1) -
AJAX
(1) -
AJAX security
(1) -
alerting
(1) -
ALM
(1) -
announcement
(2) -
announcements
(2) -
anonymity
(1) -
application development
(3) -
application security
(12) -
application security case study
(1) -
application security program
(1) -
application security program challenges
(3) -
application security testing
(2) -
application security workshop
(1) -
assessments
(1) -
attribution
(1) -
audience
(1) -
authentication
(1) -
automated testing
(2) -
automated tools
(1) -
automation
(3) -
Black Hat SEO
(1) -
black-box testing
(1) -
blackbox
(1) -
blacklist
(1) -
breach
(3) -
breach impact
(2) -
browser
(1) -
browser database
(1) -
bsides
(1) -
budget
(3) -
business case
(1) -
business intelligence
(1) -
business logic defect
(2) -
business value
(1) -
businessweek attack
(1) -
businessweek hack
(1) -
byod
(1) -
change control
(1) -
change management
(1) -
CIO
(1) -
CISO
(5) -
Cloud
(4) -
cloud computing
(20) -
cloud security
(11) -
cloudpocalypse
(1) -
ColdFusion
(1) -
Commentary
(1) -
complexity
(1) -
compliance
(6) -
compromise
(4) -
Computer Security Institute
(1) -
conference
(2) -
conferences
(7) -
Converged Cloud
(1) -
crisis management
(1) -
critical infrastructure
(1) -
Cross-Site Scripting
(2) -
CSI Conference
(1) -
cyber security
(2) -
cyber war
(1) -
cybercrime
(1) -
data breach
(15) -
data breach notification
(1) -
data compromise
(1) -
data loss prevention
(8) -
data sanitization
(1) -
data-flow analysis
(1) -
defects
(2) -
defense
(1) -
defense in depth
(1) -
development
(4) -
development psychology
(1) -
DevOps
(2) -
dynamic analysis
(4) -
educating developers
(2) -
education
(1) -
EFD
(1) -
ehealth
(2) -
encryption
(2) -
enterprise application security
(1) -
Enterprise security
(49) -
Enterprise Security Intelligence
(2) -
enterprise security management
(1) -
enterprise security services
(1) -
enterprise web application security program
(2) -
ethics
(1) -
evolution
(1) -
Execution Flow Based Testing
(1) -
Failed
(1) -
failure
(1) -
federated identity management
(1) -
file upload
(1) -
firesheep
(1) -
functional specification
(2) -
future of web application security
(1) -
guest blog
(2) -
hack
(2) -
hacked
(3) -
hacking
(15) -
hacking demonstration
(3) -
hacking file upload hacking
(1) -
hacking incident
(2) -
hacking web application logic
(1) -
hacking workshop
(1) -
Hacktivism
(6) -
haktivism
(1) -
healthcare
(2) -
HITECH
(1) -
holistic security
(1) -
HTML 5
(1) -
HTML5
(1) -
HttpOnly
(1) -
https
(2) -
Hybrid Analysis
(1) -
hybrid delivery
(1) -
ICANN
(1) -
identity theft
(1) -
IE
(1) -
iis security
(1) -
incident
(5) -
incident handling
(1) -
incident response
(9) -
incidents
(1) -
industry commentary
(1) -
Information Management
(1) -
information security
(16) -
InfoSec World 2009
(2) -
Innovation
(1) -
input validation
(2) -
Instant-ON Enterprise
(2) -
interview
(1) -
IPv6
(1) -
ISSA
(1) -
IT Performance
(4) -
KPI
(3) -
KPIs
(5) -
legacy applications
(2) -
liabiilty
(1) -
live hacking workshop
(1) -
live web application hacking
(1) -
logging
(4) -
logic defects
(1) -
logic flaws
(1) -
Malware
(1) -
malware distribution
(1) -
marketing
(1) -
Metrics
(4) -
misconceptions
(1) -
mobile application security
(2) -
Mobile Applications
(2) -
mobile security
(2) -
mobility
(1) -
movie theater hacked
(1) -
Mozilla Bug 178993
(1) -
NetOps
(1) -
News
(2) -
noops
(1) -
online shopping
(1) -
ooda
(3) -
ooda loop
(2) -
OOPS
(30) -
open source
(2) -
open-source software security
(1) -
Operations Manager
(1) -
OSS security
(1) -
OWASP
(6) -
Password Security
(2) -
patch management
(1) -
patchwork cloud
(7) -
PCI Compliance
(2) -
PCI DSS
(3) -
penetration testing
(1) -
perform better
(2) -
phishing
(2) -
phpBB
(1) -
phpMyAdmin
(1) -
planted bug
(1) -
plug-in
(2) -
poccast
(1) -
podcast
(3) -
politics
(2) -
ponemon
(1) -
president hacked
(1) -
privilege
(1) -
process improvement
(1) -
program failures
(1) -
program maturity
(1) -
program secrets
(1) -
provisioning
(1) -
psychology
(2) -
QA
(7) -
quality
(4) -
Quality Management
(1) -
Quality testing
(1) -
reality check
(1) -
requirements management
(1) -
Research
(1) -
Rich Internet Applications
(1) -
risk analysis
(1) -
risk management
(8) -
risk mitigation
(1) -
risk rating
(1) -
ROI
(1) -
SaaS
(3) -
sandbox
(1) -
sandboxing
(1) -
SCADA
(1) -
school hack
(1) -
scurity vulnerabilities
(1) -
SDL
(1) -
SDLC
(3) -
Search Engine Optimization
(1) -
SecBiz
(10) -
SecOps
(1) -
secure code development
(1) -
security
(6) -
security architecture
(2) -
security automation
(3) -
security awareness
(2) -
security budget
(1) -
security conference
(3) -
Security Conferences
(5) -
security defects
(1) -
security fail
(21) -
security intelligence
(2) -
security operations
(1) -
security program
(8) -
security relationship
(1) -
security requirements
(1) -
security testing
(7) -
security tools
(1) -
security vulnerability
(1) -
securitycurity program
(2) -
Securityity Bloggers Awards
(1) -
service management
(1) -
services
(1) -
SIRM
(1) -
slides
(1) -
social engineering
(1) -
social media
(1) -
software defects
(1) -
software design
(1) -
software development
(1) -
software quality
(7) -
software security
(7) -
software security assurance
(34) -
sofware security assurance
(2) -
speaking
(2) -
SQL Injection
(3) -
sql injection attack
(1) -
ssa
(12) -
standards
(1) -
StarWest
(1) -
static analysis
(1) -
static code analysis
(2) -
strong authentication
(1) -
student hacker
(1) -
study
(2) -
talk
(3) -
talks
(2) -
technology
(1) -
technology strategy
(1) -
terminology
(1) -
testing
(4) -
testing methodology
(1) -
threat analysis
(1) -
threat assessment
(1) -
threat intelligence
(2) -
threat modeling
(1) -
TLS
(1) -
tools
(2) -
Top x
(1) -
trade shows
(1) -
transparency
(1) -
trends
(1) -
trust
(2) -
Twitter
(1) -
uncommon sense
(1) -
user-agent
(1) -
voting system
(1) -
vulnerabilities
(2) -
Vulnerability
(1) -
vulnerability context
(1) -
WDPRS
(1) -
Web 2.0
(4) -
web application
(2) -
Web application firewall
(1) -
web application hack
(1) -
web application hacking
(1) -
web application hacking live
(1) -
web application security
(23) -
web application security awareness
(3) -
web application security business case
(2) -
web application security case study
(1) -
web application security program
(4) -
web application security workshop
(1) -
web application vulnerability
(2) -
web applications
(4) -
web hack
(2) -
web server error
(1) -
web.config
(1) -
Webinar
(1) -
WebKit bug 10957
(1) -
webmail
(1) -
whitebox
(2) -
whitelist
(1) -
workflow vulnerability
(1)
- « Previous
- Next »
©2012 Hewlett-Packard Development Company, L.P |
Privacy Statement
| Using this site means you accept its terms
| Rules of Participation