Menu
Easy-to-guess passwords still in common use: Trustwave

Easy-to-guess passwords still in common use: Trustwave

Security vendor finds people are still using simple passwords such as “password1” online

Comments

Fifty per cent of users, including employees, are still using simple passwords that can be easily guessed, according to Trustwave’s global security report.

It claims “password1” is the most common choice for users.

As for why this is the case, Trustwave managing consultant, Marc Bown, said it comes down to education.

“Everyone in IT security has talked about education about passwords,” he said.

“However, the feedback has been that even if someone is told to have a good password a hundred times, they still won’t do it.”

The problem is that only telling people to have a good password is not enough.

“They have to be told why they need to have a good password, because most users don’t understand,” Bown said.

The majority of users do not think passwords are a “big deal” and do not look at the “big picture to make a risk assessment” on how important their password is.

Thus, Bown said the key is to educate them on why they need a good password, as well as how to get one.

“Most people complain about changing their password and not being able to remember it, because it needs to be a stupid combination of numbers and letters,” he said.

“What we know as an industry is that it doesn’t need to be a stupid combination of numbers and letters, as that does not really slow down an attacker much.”

Instead, it is really about the length of the password, so Bown said the most important thing a user can do is to pick a longer password.

“Teaching users how to pick a longer password and how to remember it, such as a sentence, is a thing that we can do,” he said.

Another thing that has become relevant with passwords in the last year is password re-use.

With the proliferation of online services, Bown said most users will use the same password everywhere, such as their login for work, for blogs or social networks.

“As more and more sites become compromised, there are massive username and password lists that are sourced from those compromises and available on the Internet,” he said.

For that reason, Bown said it is important for people not to use the same passwords on services that could become compromised, thereby disclosing their password.

“People are looking at those password lists and using them to crack into other services to target individuals,” he said.

Other key findings in the report included an average of 210 days taking from the time of a security compromise to the time of detection.

“It’s a really long time and an attacker can do a lot in that period, because they’re not being detected,” Bown said.

Mobile menace

When it came to mobile malware, Trustwave’s report found that there was a 400 per cent increase last year, in particularly on Android.

Bown attributes this number to being “about economics.”

“The attackers do this stuff for a reason, whether it is financially motivated or for an ideological reason,” he said.

On a finance front, as long as they are making money out of this, the cyber criminals will come up with methods to compromise things.

“While there may be controls in place to prevent malware, so long as those are making money out of this, and they are, they’ll continue to do it and look for new ways,” Bown said.

So far, most of the malware Trustwave has seen on Android is SMS stealing or sending malware.

“They put an app up that looks legitimate and they will get people to download it,” Bown said.

“In the background the app will send SMS’ to premium rate numbers operated by the person who did the app.”

While Bown admits these types of activities are “not especially advanced,” he adds that the safeguards in place are “fairly rudimentary.”

“In the last 18 months, Google Play has had some controls that attempted to detect malware within applications uploaded to the marketplace, but there are a large number of third party marketplaces within the Android ecosystem,” he said.

Bown adds that it is mainly in the third party app stores where malware is being found.

Patrick Budmar covers consumer and enterprise technology breaking news for IDG Communications. Follow Patrick on Twitter at @patrick_budmar.

Follow Us

Join the ARN newsletter!

Error: Please check your email address.

Tags trustwaveAndroidmalware

Upcoming

Slideshows

IN PICTURES: VMworld 2015 Asia-Pacific and Japan party (+ 32 photos)

IN PICTURES: VMworld 2015 Asia-Pacific and Japan party (+ 32 photos)

VMware recently held an Asia-Pacific and Japan party for its partners in San Francisco following two days of keynotes and sessions. Whilst mingling and enjoying drinks and finger food, the partners were joined by VMware management who also took the opportunity to let their hair down to have some fun.

IN PICTURES: VMworld 2015 Asia-Pacific and Japan party (+ 32 photos)
IN PICTURES: VMworld 2015 sponsor and partner showcase (+41 photos)

IN PICTURES: VMworld 2015 sponsor and partner showcase (+41 photos)

VMware's sponsors and partners used the opportunity at VMworld 2015 to showcase some of their technologies. At an exhibition hall, these vendors educated those that popped by their stands on these solutions and addressed some of the issues surrounding mobility, datacentres, and the Cloud. SOme of the big names there included f5, Palo Alto Networks, HP, Intel, Samsung, and Symantec.

IN PICTURES: VMworld 2015 sponsor and partner showcase (+41 photos)

iasset.com is a channel management ecosystem that automates all major aspects of the entire sales, marketing and service process, including data tracking, integrated learning, knowledge management and product lifecycle management.

Show Comments