Be Aware of Password Vulnerabilities to Avoid Getting Hacked - dummies

Be Aware of Password Vulnerabilities to Avoid Getting Hacked

By Kevin Beaver

Considering the cost of security and value of protected information, the combination of a user ID and a password is usually adequate to avoid hacks. However, passwords give a false sense of security. The bad guys know this and attempt to crack passwords as a step toward breaking into computer systems.

One big problem with relying solely on passwords for information security is that more than one person can know them. Sometimes, this is intentional; often, it’s not. The tough part is that there’s no way of knowing who, besides the password’s owner, knows a password.

Remember that knowing a password doesn’t make someone an authorized user.

Here are the two general classifications of password vulnerabilities:

  • Organizational or user vulnerabilities: This includes lack of password policies that are enforced within the organization and lack of security awareness on the part of users.

  • Technical vulnerabilities: This includes weak encryption methods and unsecure storage of passwords on computer systems.

Before computer networks and the Internet, the user’s physical environment was an additional layer of password security that actually worked pretty well. Now that most computers have network connectivity, that protection is gone.

Organizational password vulnerabilities

It’s human nature to want convenience, especially when it comes to remembering five, ten, and often dozens of passwords for work and daily life. This desire for convenience makes passwords one of the easiest barriers for an attacker to overcome.

Almost 3 trillion eight-character password combinations are possible by using the 26 letters of the alphabet and the numerals 0 through 9. The keys to strong passwords are: 1) easy to remember and 2) difficult to crack. However, most people just focus on the easy-to-remember part. Users like to use such passwords as password, their login name, abc123, or no password at all!

Unless users are educated and reminded about using strong passwords, their passwords usually are

  • Easy to guess.

  • Seldom changed.

  • Reused for many security points. When bad guys crack one password, they can often access other systems with that same password and username.

    Using the same password across multiple systems and websites is nothing but a breach waiting to happen. Everyone is guilty of it, but that doesn’t make it right. Do what you can to protect your own credentials and spread the word to your users about how this practice can get you into a real bind.

  • Written down in unsecure places. The more complex a password is, the more difficult it is to crack. However, when users create complex passwords, they’re more likely to write them down. External attackers and malicious insiders can find these passwords and use them against you and your business.

Technical password vulnerabilities

You can often find these serious technical vulnerabilities after exploiting organizational password vulnerabilities:

  • Weak password encryption schemes. Many vendors and developers believe that passwords are safe as long as they don’t publish the source code for their encryption algorithms. Wrong! A persistent, patient attacker can usually crack this security by obscurity (a security measure that’s hidden from plain view but can be easily overcome) fairly quickly. After the code is cracked, it is distributed across the Internet and becomes public knowledge.

    Password-cracking utilities take advantage of weak password encryption. These utilities do the grunt work and can crack any password, given enough time and computing power.

  • Programs that store their passwords in memory, unsecured files, and easily accessed databases.

  • Unencrypted databases that provide direct access to sensitive information to anyone with database access, regardless of whether they have a business need to know.

  • User applications that display passwords on the screen while the user is typing.

The National Vulnerability Database (an index of computer vulnerabilities managed by the National Institute of Standards and Technology) currently identifies over 2,500 password-related vulnerabilities! You can search for these issues to find out how vulnerable some of your systems are from a technical perspective.