Free Newsletter
Register for our Free Newsletters
Newsletter
Zones
Access Control
LeftNav
Alarms
LeftNav
Biometrics
LeftNav
Detection
LeftNav
Deutsche Zone (German Zone)
LeftNav
Education, Training and Professional Services
LeftNav
Government Programmes
LeftNav
Guarding, Equipment and Enforcement
LeftNav
Industrial Computing Security
LeftNav
IT Security
LeftNav
Physical Security
LeftNav
Surveillance
LeftNav
View All
Other Carouselweb publications
Carousel Web
Defense File
New Materials
Pro Health Zone
Pro Manufacturing Zone
Pro Security Zone
Web Lec
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
ProSecurityZone Sponsor
 
 
News

Password Cracking Deemed Childs Play

SecurEnvoy : 20 July, 2012  (Technical Article)
SecurEnvoy says over two-fifths of IT professionals believe that passwords are so insecure that children could break them using standard tools
Password Cracking Deemed Childs Play
Forty two percent of IT professionals believe that the average kid could crack most end-user’s passwords using social networking tools.  That’s the findings of a survey released today which was conducted by SecurEnvoy amongst 300 IT professionals who found that the average kids can now use social networking tools so proficiently that adults simply don’t stand a chance. Perhaps an even greater concern is that, with social networking sites a virtual Aladdin’s cave of personal information is now available.  The security industry concur that just relying on a security question - such as mother’s maiden name, first school or pet is woefully inadequate to fend against hackers – both those already practicing their craft and the far superior younger generation about to enter the workplace!

Andy Kemshall, co-founder and CTO for SecurEnvoy said, “You just have to look at the various status updates, and veritable goldmine of information, on social networking sites - such as LinkedIn and Facebook, to see how freely personal information is given away – and in fact is actively encouraged. For example, on Facebook, by labelling relatives, it wouldn’t take a genius to work out that Mrs Jane Brooks’ daughter Susan, whose uncle is Peter Jones, probably has a maiden name of Jones. Susan’s LinkedIn account will then tell us where she works, and probably includes her email address. While many won’t be able to do any more with this information, someone wanting to attack Susan’s employer could log in, answer the ‘secret’ question and reset her password to potentially get control of her credentials.”

The study found that only 16% of security professionals believe using just a ‘secret question’ for securing passwords was enough protection. Given this figure, then, what is concerning is that 21% confessed this was the practice within their organisation to reset passwords. That translates to five percent who know it’s a risk but do it anyway, and the other 16% are just naively playing with fire.

Andy continues, “The IT professionals spoken to obviously have very real security concerns. But if we’ve got a problem today then what’s going to happen tomorrow when our technology proficient kids also join in the games and enter the workforce? We need to start getting serious about security today. To do that there are two things that need to happen - firstly, we need to educate everyone to make sure they realise exactly how much their online social habits are exposing. Secondly, organisations need to wake up to very real threat of inadequate security protection – such as password resets. Just like ‘chip & pin’ has helped prevent in person credit card fraud, apps and soft tokens as part of a two factor authentication process is a very effective security measure. If we don’t wake up to the risks and start taking security seriously, rather than being shocked that some organisation or other has been breached it will become the norm and accepted as part of every day life. I don’t think I’m happy for that to happen and certainly don’t think the rest of the population should be either.”

What is two factor authentication?

Two factor authentication ((2FA)) is a way of verifying a person is who they say they are. It requires the combination of two out of three possible factors – something you know – so a username, password or PIN; something you have – a credit card or token, and something you are – fingerprint. The combination of a username and password does not constitute (2FA) as it is two types of the same factor.

Authentication tokens, first used over 30 years ago, generate a one time passcode (OTP) which can be entered as part of a (2FA) process. They are different to PIN numbers, which are static, as they change every time and will expire within a set time. However, unlike the original physical tokens of the 80s, today OTPs can be generated by apps on a smartphone or sent via SMS making their use not only easy, but also practical. An everyday example of and OTP in use is GetCash, a service launched by the Royal Bank of Scotland and NatWest last month. The system works by sending a six-digit code to the user's phone, which can then be entered into an ATM to retrieve the money. It can only be used once and expires after three hours.
Bookmark and Share
 
Home I Editor's Blog I News by Zone I News by Date I News by Category I Special Reports I Directory I Events I Advertise I Submit Your News I About Us I Guides
 
   © 2012 ProSecurityZone.com
Netgains Logo