Leading Cause of Data Loss: Weak Passwords

Worried that prying eyes may want to read what you're up to? Then you might want to think about assigning password protection to your documents. But do you know.. In August of 2012, network administrators across the globe notice a nasty bit of malware Known as “Morto”. It works by exploiting the weakest link in any enterprise’s defenses: passwords that are easy to crack. Shockingly, 10% of the cases where Morto gained entrance were to Windows server products that are maintained by IT professionals.

This nasty bit of malware doesn’t spread by overcoming firewalls or defeating state of the art security suites. They are the sort of people that are supposed to understand the importance of protecting critical systems with strong passwords, but they failed to do so. In this case, however, a worm was gaining access to supposedly secure accounts, many of them high level ones in corporate and government settings.

Even in this day and age, far too many users rely on simple codes, such as their birthday, their first initial and last name, or the name of their pet or spouse. This is so common that many stage magicians have worked out ways to guess a total stranger’s computer password, merely by asking him or her a few basic questions.

Password recognition apps are like the soldiers that guard the outer perimeters of restricted access facilities. Their duty is to permit no one who doesn’t have the proper entrance code. Still there are plenty of programs, many of which are easily found on the Internet that will enable a potential thief to launch sustained attacks on a target’s systems by trying to guess their password. Most of them work by launching either a brute force assault or a dictionary attack.

Brute Force Attacks, also known as exhaustive key searches, this is the less sophisticated of the two methods. It relies on simply trying random guesses until the correct password is achieved. Dictionary Attacks, is a more nuanced approach to password cracking. It starts with the most likely codes and works to the less probable ones. In doing this it relies on the listings contained in a dictionary of the password creator’s native language, or some other commonly referenced source such as the Bible.

There are several key steps we can all take to help safeguard against Morto and other attempts to gain unauthorized access to our data. These include:

  1. Acceptable length – a secure password will have at least seven characters, with twelve or more of the standard for highly sensitive systems such as financial databases.
  2. Random patterns – this means avoiding words in the dictionary. An easy way to create such a code is to make up an easy to remember sentence, then use the first letter in each word in the code. For instance, you might choose the sentence “Will you marry me,” leading to the string of letters “wymm,” followed by one or more digits or other keyboard characters.
  3. Mixing upper and lower cases, if your system recognizes the difference –let’s go back to the example above, “wymm” You could make the first and last letters capitals, hence “WymM” This will make it many times more difficult for even determined hackers to penetrate.
  4. Adding digits or other symbols – let’s build on the above example again.

We might be so enthused about will you marry me this summer, like this: “wymmts!” Additionally, we could top it off with a digit or two, such as “2013” (avoid using your birth year). This gives us a final code of “WymmtS13,” which, as we’ll soon see, is a challenging one to decipher.

The flip side of creating such remarkably difficult passwords, of course, is the problem with remembering them all. This is especially true for those who have access to a large number of systems.

Security experts make the following recommendations in such cases:

  1. You should NEVER write down your password. However, if you do, then don’t put it in an easily accessible spot, such as under a keyboard, inside an unlocked desk drawer, or even (groan!) on a sticky note stuck to your monitor. Keep it in your wallet or bag, or, even more ideal, in a locked box that only you can access.
  2. Change your passwords at least every 30 days; conversely, you can do what many others do: simply have one dedicated password for them all. BUT, if you do so, make absolutely certain it’s a tough nut to crack.
  3. For ultimate protection, don’t create your own password at all. Use a random code generator instead. If you write it down, be sure to use the same precautions mentioned above.

In today's environment, security should not be just a defense strategy against external threats- it should also deliver proactive protection against data loss from internal sources.