password Archives - IT Security Guru

Time Taken For Hackers to Crack Passwords Revealed

The Gurus — Thu, 18 May 2023 09:34:45 +0000

New Specops Software research has unearthed the length of time it takes modern attackers to brute force user passwords. Plain text password storage is rare in these modern times, requiring attackers to adopt password cracking methods to make use of the majority of (hashed) password leaks. However, with the help of newer password-cracking hardware and software, the time to crack passwords is now considerably short.

Darren James, Senior Product Manager at Specops Software, states “the recent headline-making news of the possibilities of AI have some security researchers and IT teams wondering what this technology means for password security. We’ve long known that passwords are vulnerable to brute force cracking attempts. Recent advancements in automation and hardware have made these attacks all the more accessible for today’s cybercriminals.”

Below is a breakdown of the time it takes for to crack passwords:

When creating a strong password that will take a substantial length of time to crack, it must contain numbers, letters, symbols, both lower and upper case and be of 10 characters long. This will buy you 3 years. If your password is 11 characters long and follows the same creation method, then it will take 279 years – unfortunate but an issue for the many generations that precede you.

By contrast, if your password is only 8 characters long and only contains numbers, it will be broken ‘instantly’.

Also, if you are using a password that has already been compromised then you may as well pack your bags and close the account because hackers will again break into it immediately. Hence why security best practices always advocate against password reuse – no matter how long the password is.

The full research can be found here.

The post Time Taken For Hackers to Crack Passwords Revealed appeared first on IT Security Guru.

Guest blog: The death throes of the password? Key takeaways from the One Identity Infosecurity Europe survey

Guru's — Tue, 02 Aug 2022 14:21:23 +0000

By Dan Conrad, AD Security and Management Team Lead at One Identity

Authentication is one of the hottest topics in cybersecurity right now. As biometrics, MFA, and a range of other authentication methods continue to threaten the password’s supremacy, we thought it was worth finding out what industry professionals thought about it all.

So that’s what we did. At InfoSecurity Europe 2022, One Identity surveyed more than 100 security and IT professionals to get a picture of how businesses and their employees approach passwords and authentication.

When asked what they consider the biggest security threat to their business and 56 percent of respondents said they believed it to be users sharing passwords for admin tasks. If that isn’t an argument for passwordless authentication, we’re not sure what is. This was followed by 25 percent of respondents believing that the biggest security threat was users clicking on malicious links or opening rogue attachments. Collectively, this means that 80 percent of respondents believe that human error poses the largest threat to an organization’s security.

Interestingly, while the majority (62 percent) viewed educating staff as the most important factor in preventing cyber-attacks, a rapidly growing segment (30 percent) stated that adopting a zero-trust model was more important.

Moving on to multifactor authentication, we are met with some heartening statistics. 99 percent of respondents told us that their company had adopted MFA for remote access and 97 percent said that it was mandated. This confirms what we already knew – that the password as a standalone authentication method is obsolete.

When looking into users’ connections to passwords, we see some interesting results. While just over a quarter of respondents had an emotional connection to a password (28 percent), the majority said they had a favorite password (84 percent). We can infer from this that while most people don’t reuse passwords for sentimental reasons, they likely do for practical reasons. It is concerning that IT and security professionals, people who are more aware than anyone of the dangers of reusing passwords, persist in this bad habit.

This is yet another mark against the use of traditional passwords – if those in the know aren’t following best practices, how can we expect the layman to? The reality is modern users have so many accounts that it is no longer practical to create and remember a new password for everyone they set up. We’ll chalk this one up as another point in support of modern authentication methods, which eliminate these problems.

While it’s clear that users are reusing passwords, it turns out that most respondents are at least adding complexity to their passwords depending on a system’s importance (96 percent). Perhaps unsurprisingly, 76 percent saw banking or financial services as requiring a top tier password, but only 7 percent thought that work emails were deserving of the same protection. This may be an understandable perspective but doesn’t bode well for organizations that routinely share sensitive information through email.

Finally, we make it to how IT and security professionals are storing their passwords. Here, at least, we get some more heartening statistics:

65 percent of respondents said they used passwords managers, which is generally regarded as the safest and most convenient way to keep passwords
23 percent said they wrote their login details down somewhere, which, while not ideal, is safer than using one password across multiple accounts

We did, apparently, come across some cyber-savants claiming they could remember all their login details, but if anything, this suggests that they are reusing passwords for an alarming number of accounts.

The key takeaway here is that the password is on the way out. These results serve as further proof that traditional passwords by themselves are no longer fit for purpose – even leaders in the IT security space fail to follow best practices simply because it isn’t convenient. We’ve seen that businesses are implementing and mandating alternative authentication methods en masse, and it won’t be long before this trend trickles down to the rest of society.

The post Guest blog: The death throes of the password? Key takeaways from the One Identity Infosecurity Europe survey appeared first on IT Security Guru.

With the Advent of Biometrics, Are Passwords Going Away?

The Gurus — Thu, 01 Feb 2018 16:44:28 +0000

By Jackson Shaw, VP of product management for One Identity

Facial recognition and fingerprint scanning for device authentication are no longer futuristic concepts reserved for James Bond movies. In fact, biometrics seem to be gaining ground over their inferior cousin, the password, by the day. So, why do we all still have more passwords than we would care to remember? And whatever happened to the much-hyped “death of the password”?

Three burning questions that dog the authentication discussion are:

Why are we still using passwords when there are so many more secure options out there?
Will biometrics ever become the standard for authentication?
Assuming passwords are here, for at least a little while longer, how can I make them work for me?

Why are we still using passwords?

To understand why we are still using passwords, we need look no further than human nature. We like what we are comfortable with and resist change.

Since the very inception of networked computing, there has been a need for user authentication in order to access systems and data, and the easiest authentication to build into a system is the password. All you need is a directory and a few simple technologies to enforce the security. Consequently, the vast majority of systems use password authentication as the default — and in many cases, password authentication is the only option.

For those of us purchasing and implementing these applications, passwords have always been good enough… until they weren’t. The people that rely on these systems are comfortable with passwords. They have all kinds of tricks to help them remember their passwords (which, by the way, is often the reason passwords are the weak link in the security chain). And passwords are cheap – often password-based authentication is built into the systems that we rely on. Implementing a more secure or convenient authentication method will only add expense, management overhead, and possibly user dissatisfaction.

In addition, consider the fact that most organisations rely on older systems that default to password-based authentication. Switching to biometric enabled systems can be expensive, or require long deployment and integration cycles, and often comes across as an effort to fix something that isn’t broken. Not to mention that when multiple legacy systems are in play, those challenges are magnified many times over.

So why are we still using passwords? My opinion is, quite simply, because it’s good enough. Until there is a compelling event, technological breakthrough, or regulatory mandate forcing the issue, passwords will remain king.

Will biometrics become the new standard?

I believe that, yes, biometrics will eventually become the new standard. But only after enough password-based breaches hit enough organisations with enough negative effect that they are forced to implement stronger forms of authentication.

But I would also argue that multi-factor authentication (an approach in which biometrics is becoming a key player) is quickly becoming “a” standard, if not “the” standard. More and more organisations today are implementing the need to supplement the single factor of something you know (the password) with a second factor of either something you have (such as a smart card or OTP token), and more recently another factor could be something you are — otherwise known as biometrics.

Since second factors of the “something you have” variety are easier to implement and more easily integrated with legacy systems, I would expect continued growth in one-time passwords (OTP) and smart card authentication, while biometrics slowly gains ground.

So maybe the correct answer to this question is: multi-factor authentication will become the standard quickly, with biometrics being incorporated into a fraction of those use cases…at least for the foreseeable future.

How can I make passwords work for me?

Authentication technologies, whether they be password or biometrics, exist for one purpose – to secure access to systems and data. With the death of the password being greatly exaggerated, there is a compelling need to find ways to use them better. In other words, we need to find ways to ensure that passwords fulfill their purpose and work for your company’s security processes. Recent NIST guidelines provide cool alternatives to the strict rules we’ve been told to abide by when setting a strong password. For example, use a long phrase rather than a distorted version of your pet’s name. However, many legacy systems simply don’t provide the flexibility to implement these dramatically different password policies. But there is hope. Here’s some ideas:

Add multi-factor authentication. There are many options available for a two- or three- factor in authentication, and making sure that it fits with the culture of your organisation is the best way to ensure that users will be able to seamlessly gain access to their work without having it disrupt their workflow.
Reduce the number of passwords you use — but change them frequently. Much of the trouble with hacked passwords is that they are easy to discover. This can be the result of poor practices such as never changing a password or the use of social engineering to guess them. However, a single hard-to-guess password that is changed often, and applies everywhere is an ideal remedy to their traditional weaknesses. Single sign-on and directory consolidation are fairly easy and common technologies that achieve this end.
Take advantage of all your options. When implementing new systems, be sure that they support the standards necessary for adding multi-factor authentication to the mix and ensure that the policy you enforce for accessing those systems uses all the options available to you.

So, while the death of the password may be highly exaggerated for now, authentication is evolving, and biometrics will slowly become the new standard of the future. Set yourself up today to seamlessly and securely move into the password-less world, for when it finally arrives.

The post With the Advent of Biometrics, Are Passwords Going Away? appeared first on IT Security Guru.

How to turn Household items into a Password

The Gurus — Thu, 26 Oct 2017 10:36:59 +0000

Researchers a proposing that one day, household items and accessories could be used as a way to authenticate yourself online.
Read Full Story
ORIGINAL SOURCE: ZDNet

The post How to turn Household items into a Password appeared first on IT Security Guru.

MP Cyber Attack Further Proof That Weak Passwords Are The Biggest Threat To Data Security

The Gurus — Wed, 28 Jun 2017 10:19:43 +0000

Leading Identity and Access Management specialists My1Login says that weak passwords and poor ID management are likely to have contributed to the MP email cyber attack at the weekend.
Parliament was hit by a “sustained and determined” cyber-attack last Friday, with hackers attempting to gain access to MPs’ and their staffers’ email accounts. Both houses of parliament were targeted in an attack that sought to gain access to accounts protected by weak passwords.
My1Login CEO, Mike Newman, comments: “The full facts are still to come out, but this was a determined attack to exploit weak passwords. Most passwords are very easy to break by hackers as there is a commonality to them world-wide. Moreover, people don’t take enough precautions to safeguard their passwords; they write them down; save them to their computer or make them extremely weak so they are easy to remember. This has to change.”
He added: “In my opinion, the only way to safeguard data, especially when it comes to matters of national security, is to eliminate end-users having to manage passwords altogether. Our Single Sign-On technology removes the need for end-users to manage or even know passwords, protecting against weak password use and ensuring data is kept secure”.
My1Login has recently been cited as a global leader in Identity Management by CB Insights, the highly respected analyst and technology sector research group,. The company was also recently approved for the G-Cloud 9 digital framework to supply cloud services to the UK public sector.
Over 1,000 companies currently rely My1Login’s solution which eliminates cyber security vulnerabilities by removing the need for employees to manage multiple passwords. It provides next generation Identity and Access Management solutions for enterprise and eliminates the need for passwords in business by providing Single Sign-On that works with all applications, across all devices. The service works with cloud, mobile and thick-client legacy applications, which enables them to fully address Single Sign-On challenges even in the most complex of enterprise environments where apps are often a mix of cloud, mobile and legacy systems such as mainframes.

For more information please email norman@my1login.com or visit www.my1login.com.

The post MP Cyber Attack Further Proof That Weak Passwords Are The Biggest Threat To Data Security appeared first on IT Security Guru.

Password inertia leaving UK consumers at risk of fraud, research reveals

The Gurus — Thu, 18 May 2017 10:05:36 +0000

Less than half (49%) of consumers regularly change their passwords as a way to prevent fraud, according to research from Callcredit Information Group. Yet, the majority (66%) perceive the risk of identity theft and online fraud as one of their biggest concerns around sharing personal information online.
The research*, commissioned by Callcredit Information Group as part of the Unlocking the potential of personal data report, also found that only two-thirds of consumers (65%) have a highly-secure password. That is, a mixture of upper and lower case letters, numbers and symbols.
However, the findings suggest that consumers are not widely employing other simple fraud prevention techniques. Of the 3,000 UK-based consumers surveyed, only just over half (51%) have downloaded anti-malware security software and just over a third (38%) set browser privacy settings. When shopping online, well under half, just 41%, check the authenticity of an organisation before purchase.
John Cannon, Fraud & ID Director, Callcredit Information Group, commented: “Despite a significant rise in online fraud, and concern around sharing personal information, consumers don’t appear to be adequately protecting themselves against cyber-crime. Simple techniques, such as regularly changing passwords, aren’t being implemented by a significant proportion of consumers.
“Our research suggests that there is a real need for consumer education about anti-fraud techniques. It is crucial that businesses not only monitor for fraud, but educate consumers about existing risks and fraud prevention tactics. Organisations could, for example, encourage customers to regularly check their credit report to help spot unusual activity. This is especially important given that customers’ digital identities increasingly form part of the checks that organisations perform.”
The research does show there are some steps that consumers are taking to protect themselves against fraud, with the most popular tactics being:

Changing social media privacy settings (34%)
Downloading an ad blocker (33%)
Deliberately sharing fake details with organisations (18%)

In addition to the above, other simple steps consumers can take to keep themselves and their identity and personal information safe online are:

Never use a password more than once. If a cyber-criminal were to get hold of the password for one account they may try to access others
Check to see if the website you’re using is genuine. Does it make a small padlock in the address bar, for example?
Check your credit report, with services such as Noddle, regularly to make sure there are no new searches or lines of credit you don’t recognise
If a website uses two-factor authentication, make use of it. It strengthens your login security and requires two stages to confirm your identity

The post Password inertia leaving UK consumers at risk of fraud, research reveals appeared first on IT Security Guru.

Centrify warns password vaults alone not enough to stop data breaches

The Gurus — Thu, 27 Apr 2017 09:28:41 +0000

Centrify, the leader in securing hybrid enterprises through the power of identity services, today announced significant enhancements to its best-in-class privileged identity management (PIM) solution to stop breaches that abuse privilege. By minimising the attack surface and controlling privileged access to the hybrid enterprise, Centrify’s new capabilities enable organisations to move from static, long-lived privilege assignments to a just-in-time model where advanced monitoring detects and alerts in real-time on the creation of backdoor accounts that make it easy to bypass a password vault.
Securing privileged access in today’s hybrid enterprise is mandatory in achieving a mature risk posture. According to the The Forrester Wave: Privileged Identity Management, Q3 2016, 80 per cent of breaches leverage privileged credentials to gain access to the organisation. The increasingly hybrid nature of infrastructure, driven by the adoption of cloud-based workloads, is driving the need to secure privileged access across on-premises, private-cloud and public cloud infrastructure and apps with a single solution. And while most PIM solutions have traditionally focused on vaulting the credentials for shared accounts on-premises, password vaults alone do not provide the level of privileged access security required to stop the breach.
“Data breaches are happening at an alarming rate and to stop them Centrify is taking a unique approach to controlling privileged access in the hybrid enterprise that simplifies the implementation of PIM best practices and strengthens an organisation’s risk posture,” said Bill Mann, chief product officer at Centrify. “By contrast, password vaults alone are not enough, best practices require organizations add and integrate point products to the vault, which leaves gaps in security and increases risk. We’ve closed those gaps with an integrated solution that combines password vaulting with brokering of identities, MFA enforcement and just-enough privilege, all while securing remote access and monitoring all privileged sessions.”
Only a Full PIM Solution Can Stop the Breach
A recent Forrester study examined four levels of Identity Access Management (IAM) maturity. It found a direct correlation between the number of PIM best practices an organisation has implemented and the number of security incidents it encounters. Centrify’s new PIM capabilities enable these best practices, adding to Centrify’s already comprehensive set of integrated services that help organisations increase their IAM maturity level and security posture.

Establish Identity Assurance. Centrify ensures accountability by having users log in as themselves and attributing all activity to the individual. Its advanced host-based auditing capabilities now include process-level monitoring in addition to existing shell-based monitoring to attribute all activity to the individual instead of a shared account or alias. This new advanced monitoring adds a layer of security that is virtually impossible to spoof.
Limit Lateral Movement: Centrify enables organisations to reduce the attack surface by governing privileged access and ensuring users’ privileges only apply on the approved server. Now you can require access approvals for role assignment and make them short-lived. Centrify’s proven host-based privilege management ensures that the user’s approved privileges apply only to the target system, and cannot be used across the network on other computers. And if credentials are compromised, hackers and malware will not have the privileges that would allow them to wreak havoc within your network.
Institute Least Privilege: Centrify now uniquely governs access to both privileged accounts and privilege elevation via roles enabling organisations to implement true cross-platform least privilege access. Centrify lowers the risk of a security breach by granting just-in-time privilege and just-enough-privilege through temporary and time-bound access that leverages request and approval workflows. Audit trails and compliance reporting capabilities now include who has access, who approved that access and how that access was used across privileged accounts and privileged roles.
Monitor Privileged Use: Centrify now monitors for the creation of backdoors whose existence make privileged access to infrastructure convenient instead of secure. Centrify’s advanced monitoring capabilities detect the growing threatscape and alert in real time through SIEM integration on rogue creation of SSH keys that enable privileged access that bypasses the password vault.

According to the Forrester study, organisations that reach the highest levels on the maturity scale are 50 per cent less likely to have a breach. In addition, these organisations save 40 per cent in security costs over their less mature counterparts, and spend $5 million less in breach costs.
See how Centrify Stops the Breach.

The post Centrify warns password vaults alone not enough to stop data breaches appeared first on IT Security Guru.

North Korea Hacked Into Emails of Seoul Officials: Report

The Gurus — Mon, 01 Aug 2016 10:09:19 +0000

Investigations showed 56 people — including officials at the foreign, defense and unification ministries — had their email passwords stolen by a “North Korea-operated group” from January to June, Yonhap said, citing the Supreme Prosecutors’ Office.
The prosecutors’ office could not be reached for comment by AFP.
Yonhap said the hackers set up 27 phishing sites using a free web-hosting server in January and posed as portal sites run by the foreign ministry, universities and defense-related companies to steal the passwords.
An investigation is still ongoing to see if any confidential information may have been leaked.
The latest cyber attack comes just days after South Korean police said the North stole the personal data of over 10 million customers at South Korean online shopping mall Interpark.

Original Source: SecurityWeek
View the full here.

The post North Korea Hacked Into Emails of Seoul Officials: Report appeared first on IT Security Guru.

Zero day hole can pwn millions of LastPass users, all that's needed is a malicious site

The Gurus — Wed, 27 Jul 2016 09:25:33 +0000

A dangerous zero-day vulnerability has been found in popular cloud password vault LastPass, which The Register has been told can completely compromise user accounts.
Many millions of users can right now be compromised by merely visiting a malicious website, we understand.
This allows attackers complete access to user accounts in which hundreds and thousands of passwords are stored.

Original Source: The Register
View the full story here

The post Zero day hole can pwn millions of LastPass users, all that's needed is a malicious site appeared first on IT Security Guru.

Employees – the weakest link to commercial security risks

The Gurus — Mon, 20 Jun 2016 09:00:09 +0000

Security breaches have become ever present within our society today, with news of breaches, such as those to baby care retailer Kiddicare and social media giant LinkedIn, gracing the front pages most mornings. With cybercriminals having an increasing presence within our rapidly evolving online society, scenarios such as the above are likely to become a more everyday occurrence unless the right measures are put in place.
The cost of the average data breach rose dramatically in the last twelve months^[1], with the average cost for companies increasing to $3.79 million once lost business, compliancy fines and reputational damage are taken into account. To put it another way, the average cost for each stolen record – often containing sensitive and confidential information – is $154, a number not to be sniffed at. As a result businesses are becoming increasingly concerned about protecting the sensitive data that they hold within their business.
Businesses need to understand how cybercriminals are increasingly gaining access to their internal systems before they can mitigate this risk. It may come as a surprise to many of you, but the days of the brute force attack are over, now the bad guys wishing to infiltrate your network are taking a much more calculated approach. According to recent research by Intel^[2], internal factors are now responsible for almost half (42 per cent) of all data loss cases in the UK, demonstrating that employees are often an organisation’s weakest link when it comes to information security.
Most of this is down to phishing scams, where fraudsters attempt to acquire sensitive information, for example usernames, passwords and credit card details or steal money by masquerading as a trustworthy entity via an email, pop-up message, phone call or text message. Once a cybercriminal has an employee’s password, obtained by a phishing scam or any number of other common social engineering techniques, they can access the entire corporate network and the sensitive data held within it.
In fact it is getting so bad that UK-based Action Fraud reveals that it now receives 8,000 reports of phishing scams every month^[3]. Email is by far the most common attack vector with over two thirds (68 per cent) of people who reported a phishing scam saying that is how they were contacted. This compares to 12.5 per cent of people who said they were contacted by phone, 8.9 per cent of people who reported that they received a text message and the rest claiming they were contacted in another way.
The process of phishing is often very swift too. According to a recent report by Verizon^[4], it takes cyber criminals just 82 seconds to ensnare the average victim in a phishing scam, with almost a quarter ( 23 per cent) of people likely to open a phishing email.
Whether it’s down to human error, a phishing scam or an intention leak, organisations of all sizes need to embrace employee education as part of their security policies. Not only will this educate employees on the risk and potentially crippling costs associated with data breaches, but will also provide insight into the types of phishing scams that they are likely to fall victim to. By doing so, employees will have an understanding of the risk that such breaches pose to the organisation and be able to alert the IT team if they are being specifically targeted.
The problem with phishing though is intensified by the fact that modern techniques are getting increasingly hard to spot for even the savviest employees. Whilst education of staff is important, it is also imperative to have a safety net so that you can understand exactly how data is moving in, around and out of your organisation.
Only by gaining greater visibility, analysis and control of all communications channels can businesses mitigate the cost of sensitive data leaving the safety of the organisation. To facilitate this, organisations need to be able to monitor each employee’s use of corporate assets at the most basic level, regardless of whether users are in-office or mobile. Solutions such as cloud application control (CAC) solutions can provide businesses with this visibility and the ability to discover, analyse and control the information staff are accessing or sharing.
With the added pressures of the digital transformation impacting how and where we work, employees are increasingly opting to work outside of the traditional office environment. Because of this businesses need to ensure that the right employees have the right access to company information and systems, no matter where they’re working from. With access privileges morphing depending on whether they are in, or out, of the office. Multi-factor authentication can play a dominant role within an organisation’s cybersecurity strategy to help facilitate visibility of the use of cloud apps – authorised or otherwise – so that they can spot when a phishing attempt may be leading to a sustained data breach and help mitigate the associated fall out.
[1] https://www-01.ibm.com/marketing/iwm/dre/signup?source=ibm-WW_Security_Services&S_PKG=ov34982&S_TACT=000000NJ&S_OFF_CD=10000253&ce=ISM0484&ct=SWG&cmp=IBMSocial&cm=h&cr=Security&ccy=US&cm_mc_uid=01512328606014640999746&cm_mc_sid_50200000=1464099974
[2] http://www.mcafee.com/us/resources/reports/rp-data-exfiltration.pdf
[3] http://www.actionfraud.police.uk/news/action-fraud-reveals-that-it-receives-8000-reports-of-phishing-scams-every-month-mar16
[4] http://www.verizonenterprise.com/verizon-insights-lab/dbir/2016/

The post Employees – the weakest link to commercial security risks appeared first on IT Security Guru.