Much to-do is made about people choosing poor passwords to protect sensitive information in their care. Just this week, for example, a company that could well serve as the poster child for password worst practices paid the U.S. Federal Trade Commission US$250,000 for its security sins.
The company, RockYou, exposed the personal information of about 32 million of its customers to hackers in 2009. A subsequent study of that information revealed that the passwords chosen by those customers were so weak, a brute force attack using a dictionary containing 5000 of the most commonly used passwords could crack 1000 accounts every 17 minutes.
However, administrators can be as careless as the members of their flocks when it comes to password practices. In its annual data breach report [PDF] released earlier this month, Verizon discovered that only 42 percent of the 855 companies contributing information for the study said they do not use vendor-supplied defaults for system passwords and other security parameters. That means 58 percent of the companies use passwords that are publically available on the Internet.
That 42 percent, by the way, is an increase over 2010 (33 percent) and 2009 (30 percent) but a decline from 2008 (49 percent).
Point Of Sale (POS) systems are particularly egregious when it comes to password vulnerabilities, the report said.
“In the 2011 caseload, we observed that for the vast majority of incidents (85%), attackers are able to compromise the victim very quickly (minutes or faster),” it said.
“This result is largely (but not exclusively) the byproduct of the many automated, quick attacks against smaller organizations in the 2011 caseload,” it added. “It just doesn’t take that long to pop a POS system using a scripted list of known usernames and passwords.”
Lists of logins and passwords may be published to the Web with good intentions. For instance, the poster of one such list observed:
“This listing is only provided as a resource to network administrators and security professionals. It is also meant to remind people that a serious problem exists when people configure a network or a computer system and do not change these passwords.”
The list contains logins and passwords for almost 400 devices and software programs from companies such as 3Com, Alcatel, Apple, Cisco, Dell, HP, IBM, Lucent, Microsoft, Netgear, Novel, Oracle, Sonic Wall and TrendMicro.
With IT budgets what they are, some administrators may be hard pressed to hunt through the backwaters of their networks searching for default passwords. A promising solution to that problem was unveiled recently at the RSA Conference for security professionals held in San Francisco.
Lieberman Software, a maker of password management software based in Los Angeles, has incorporated into the latest version of its Enterprise Random Password Manager a “known password discovery” feature. It can scan a network and detect and secure default and well-known privileged logins that make it easy for unauthorized individuals and malware to gain control of sensitive data.
The software has the ability to discover factory default passwords and alert an IT department to their existence, which can be a significant security enhancement for many large enterprises.