“12345” thoughts on securing access

Last updated: 21 March 2014

Earlier this year, I posted a somewhat comical blog on a list of the weakest passwords being used in corporations. While we all know we will have users that use “password” for their password, it never ceases to amaze me that even with the number of recommendation and best practices available we still see major breaches where the weak point in the security architecture was the users login credentials. Just this week, the Wall Street Journal reported on a ten year long hack of Nortel. The hackers had stolen passwords from executives and used them to gain complete access for almost a decade. Someone should tell their IT department about the need for changing passwords more frequently.

But this is not the only case of weak passwords being the culprit of a serious compromise to a network. As Parmy Olson reported in Forbes, Anonymous has targeted the Syrian government’s digital security systems, hacking the presidential mail server for the third time in recent months. Without commenting on the Syrian government’s (or any government for that matter) regulation of internet access, it does act as a stark reminder to the world that two factor authentication is a necessity, not a luxury.

The hackers published a list of 78 e-mail addresses and passwords. As with Nortel and the many other breaches that have been recently reported, the passwords were brutally simple to guess. 33 of the 78 e-mail addresses used passwords that were either “12345″ or “123456” – as simple as it gets.

I have no intention of trivializing world events or making light of the serious issues digital security professionals face in their day-to-day task of protecting networks. I believe we can pause and think about what lessons can be learned from the headlines that just don’t seem to go away or slow down. Here are 5 thoughts on how to better secure the user and their access to the network:

  1. Use an additional user verification device – this is ‘something you have’, like a key card, fob or mobile device. A physical token is something you own. If you lose it, notify your supplier immediately.
  2. Use a PIN with the device – this is ‘something you know’, like a one-time-password (OTP). One-time-passwords are unique codes valid for a matter of minutes to serve the purpose of logging in to somewhere securely.
  3. Use your identity – this is ‘something you are’, or rather, something unique to you, like a fingerprint or your DNA. Biometrics are frequently used in high security environments.
  4. Use a little common sense – Imagine someone trying to guess a password. The obvious choices are 123456, abcdef, abc123 and qwerty. By incorporating numbers and capital letters into passwords, you decrease the risk of basic passwords being hacked.
  5. Protect your mobile devices – With cloud technology we use multiple devices to access information from a single host. Remember to sign out and password-lock all the devices you use to access confidential information.

In Mitchel Smith’s new blog Multi Factor Authentication, Adam Quart notes that “the government wages war against hackers who are not only fighting for privacy, but are the same ones leaking it confidential data”. Taking this with a pinch of salt, I’d also volunteer the point that if we choose to run our lives online, the very least we can do is choose a secure password.