Weak passwords allow hackers in
26 May 2014, 13:59
Cape Town - Weak passwords are one of the primary reasons that allow hackers to compromise passwords, says a security expert.
"People don't want to remember more than one password. It boils down to human nature - as long as you meet company policy, then you're okay," Andrew Kirkland, Trustwave regional director for Africa told News24.
The 2014 Trustwave Global Security Report found that weak passwords contributed to 31% of intrusions the company investigated in 2013.
The most commonly used password was "123456", followed by "123456789", "1234" and "password".
"It is a very big problem, and I'll tell you why: People are lazy. So if your company policy says to you that you've got to use a minimum of eight characters… users themselves, because they work for the company, they don't really care," said Kirkland.
Poor security habits
As news emerges from the US accusing Chinese officials of conducting a wide-ranging hacking campaign, it emerged that the alleged hackers used mundane deceptions to trick company officials into opening the "cyber door" to intruders.
According to the US Justice department, employees opened a number of attachments which installed malware on to internal networks.
Kirkland said that new computer users were unfamiliar with the dangers associated with being on the internet.
"I think that the general user out there who's being introduced to a computer, who's being introduced to social networking - they don't really understand the issues that it comes with."
Weak passwords allow hackers to easily compromise computers and steal personal information. (Duncan Alfreds, News24)
Kirkland said that poor security habits at work would evolve into similar private habits, especially as more people used websites and platforms which required password access.
"For me the most scary part of that is that '123456' becomes the password not only in your corporate environment, but it becomes our password in multiple sites. These people tend to want to only remember one password and use that password across their entire personal landscape, including their corporate environment."
US online giant eBay reported that up to 145 million users were potentially affected by a hacking breach that compromised user names, passwords and other personal data, though the company insisted that credit card numbers were not affected.
Trustwave said that computer users sometimes wrote passwords down or stored them in an unencrypted form.
"The first thing that stands out for me is education. Every company should take the responsibility to educate their employees about security - not only about meeting company policy - but about security in general so they have a habit: They apply the same principle when they go home," said Kirkland.
He added that companies tested their systems as the report found that 71% of breached firms do not detect the break-in themselves.
Spam is the primary method of delivering malware. (Duncan Alfreds, News24)
Trustwave also said that at least a quarter of internet users had identical usernames and passwords for multiple sites. Potentially, this makes it easy for cyber criminals, especially when they are targeting specific individuals in what is known as Spear Phishing.
Attackers using this method will tailor their deception so that the victim believes the communication to be genuine.
At least 59% of spam contained malicious attachment and 41% contained links that were designed to compromise a computer.
Some of the most common subject lines include: "Some Important Information is missing"; "Bank Statement. Please read"; "Important - Payment Overdue", Trustwave said in its report.
"Until we as a worldwide community understand that what this means, I think it's going to be very difficult to try and get rid of this problem," said Kirkland.
- Follow Duncan on Twitter