Easy-to-guess passwords still in common use: Trustwave
- 13 February, 2013 11:00
Fifty per cent of users, including employees, are still using simple passwords that can be easily guessed, according to Trustwave’s global security report.
It claims “password1” is the most common choice for users.
As for why this is the case, Trustwave managing consultant, Marc Bown, said it comes down to education.
“Everyone in IT security has talked about education about passwords,” he said.
“However, the feedback has been that even if someone is told to have a good password a hundred times, they still won’t do it.”
The problem is that only telling people to have a good password is not enough.
“They have to be told why they need to have a good password, because most users don’t understand,” Bown said.
The majority of users do not think passwords are a “big deal” and do not look at the “big picture to make a risk assessment” on how important their password is.
Thus, Bown said the key is to educate them on why they need a good password, as well as how to get one.
“Most people complain about changing their password and not being able to remember it, because it needs to be a stupid combination of numbers and letters,” he said.
“What we know as an industry is that it doesn’t need to be a stupid combination of numbers and letters, as that does not really slow down an attacker much.”
Instead, it is really about the length of the password, so Bown said the most important thing a user can do is to pick a longer password.
“Teaching users how to pick a longer password and how to remember it, such as a sentence, is a thing that we can do,” he said.
Another thing that has become relevant with passwords in the last year is password re-use.
With the proliferation of online services, Bown said most users will use the same password everywhere, such as their login for work, for blogs or social networks.
“As more and more sites become compromised, there are massive username and password lists that are sourced from those compromises and available on the Internet,” he said.
For that reason, Bown said it is important for people not to use the same passwords on services that could become compromised, thereby disclosing their password.
“People are looking at those password lists and using them to crack into other services to target individuals,” he said.
Other key findings in the report included an average of 210 days taking from the time of a security compromise to the time of detection.
“It’s a really long time and an attacker can do a lot in that period, because they’re not being detected,” Bown said.
When it came to mobile malware, Trustwave’s report found that there was a 400 per cent increase last year, in particularly on Android.
Bown attributes this number to being “about economics.”
“The attackers do this stuff for a reason, whether it is financially motivated or for an ideological reason,” he said.
On a finance front, as long as they are making money out of this, the cyber criminals will come up with methods to compromise things.
“While there may be controls in place to prevent malware, so long as those are making money out of this, and they are, they’ll continue to do it and look for new ways,” Bown said.
So far, most of the malware Trustwave has seen on Android is SMS stealing or sending malware.
“They put an app up that looks legitimate and they will get people to download it,” Bown said.
“In the background the app will send SMS’ to premium rate numbers operated by the person who did the app.”
While Bown admits these types of activities are “not especially advanced,” he adds that the safeguards in place are “fairly rudimentary.”
“In the last 18 months, Google Play has had some controls that attempted to detect malware within applications uploaded to the marketplace, but there are a large number of third party marketplaces within the Android ecosystem,” he said.
Bown adds that it is mainly in the third party app stores where malware is being found.
Patrick Budmar covers consumer and enterprise technology breaking news for IDG Communications. Follow Patrick on Twitter at @patrick_budmar.