Passwords have long been a basic building block in the foundation of IT security. But our latest survey – of 200 attendees at RSA Conference 2016 – reveals that more than three-quarters (77%) of IT professionals believe passwords are failing as an IT security method. The survey divulged several possible factors for this negative attitude toward the effectiveness of passwords.
Passwords Are Easy to Crack
53% of survey respondents think that modern hacking tools could easily break passwords within their organizations. Rainbow tables and other tools are used by hackers to crack passwords and gain access to systems with sensitive data. Especially shorter passwords with few complex character variations.
Passwords Are Easy to Access
Almost one of out six (15%) of those surveyed are confident that they could still access their administrative credentials if they left their organizations. If privileged credentials aren’t continuously changed, it shouldn’t be a surprise if ex-employees can still gain administrative access. Sometimes long after their terms of employment end.
Passwords Are Well Known
More than 1 in 10 IT pros (11%) we surveyed work in organizations that don’t always change default passwords. Many hardware devices, applications and appliances are pre-configured with default passwords that are well known (check here for one example). If these built-in passwords aren’t changed, they’re an inviting target for a hacker.
A New Approach to Cyber Security
What these findings seem to tell us is that if the clear majority of information security professionals think passwords are failing, perhaps we should rethink how we use them. Professional hackers often use automated tools to crack weak credentials and gain privileged access to critical systems. Sometimes in just minutes. Once they have privileged access on a network, the intruders can nest there anonymously, waiting until the time is right to strike.
Cyber security professionals would be wise to counter these threats with an automated approach to securing their privileged credentials. This would involve changing them continuously and giving each account it’s own unique password. But the best answer to privileged password issues is to secure them with both a privileged access management solution and multi-factor authentication.
At the heart of the matter is this – 45% of respondents think that even with all the IT security technology deployed in their organizations, they’re still unable to defend against cyber attacks. This is extraordinary when you consider estimates that last year the cyber security market reached $75 billion.
Perimeter Security Tools Can Only Do So Much
Despite all these IT security purchases, costly data breaches made headlines during the past couple of years. And the frequency and severity of these breaches doesn’t appear to be abating. Many of these breached companies passed their regulatory compliance audits and invested in conventional perimeter security tools – like firewalls – without success. Spear phishing, zero days and other advanced threats were able to defeat their perimeter security. Once inside the perimeter, all the intruders had to do was look for credentials that let them move between systems on the network. From there they could steal sensitive data at will. That 45% figure cited above almost seems low.
For more information see http://go.liebsoft.com/rsa-conference-2016-survey.