4 Things Senior Execs Must Do To Evangelize Password Security

by , on


What do the words and advice of a former, highly successful CEO of IBM have in common with sound password management? The answer is surprising.

Lou Gerstner, who propelled IBM to nearly 10 years of non-stop growth and prosperity, has a poignant message for top executives at all companies. When it comes to establishing corporate culture, look at what your actions tell your employees.

As Gerstner says, “People do not do what you expect, but what you inspect.” In other words, senior execs have to walk the walk and talk the talk to get others to follow.

That is certainly the case when it comes to password management. One high-level security consultant tells a story of a recent engagement with a company on which he performed a security audit. The audit uncovered several major security flaws, including poor password management. The consultant was to present the findings to the senior staff, not one day after its CEO had delivered a presentation at a local security conference. All senior staff were present – except for the CEO, who gave no reason for his absence.

“So what’s the message here to the rest of the company execs,” the consultant asks? “It wasn’t a message you’d want the rest of the employees to embrace regarding security!”

Brian Sprang is CIO at Quest Federal Credit Union, where employees have registered a 97% adoption rate for their comprehensive password management solution. Speaking of Quest’s senior managers, Sprang says, “They are proponents of the use of good password security and the tools we’ve provided. All of our executives have been vocal in the use of the tool and understand the vital importance of password security to our daily duties to protect our assets and member personally identifiable financial information.”

So just what should be the role of the top executives with respect to password management? It should be something like this.

Be the chief torchbearer of the message that password security is not an IT problem.

A broad belief that IT will ‘take care of all security’ flies in the face of overwhelming evidence that people, not technology, are the front line of defense against cyber attacks. Whether it is through memos, live at company meetings, via Webcasting or other means, top executives must articulate that password security is the responsibility of each individual. That is the kind of message that conveys both responsibility as well as accountability.

Actively practice what you preach.

As a senior executive, demonstrate your ‘street cred’ when it comes to password security by articulating the steps you have taken to ensure your password isn’t compromised. The simpler the message the better, because password management today isn’t complicated. Let it be known you don’t use the same password for multiple accounts, and that you leverage a password management solution to routinely change passwords.

Stress the value of continuing education about password protection.

As with all cyber security measures, executives should personally issue calls to action encouraging continuing education and training about password security. While these sessions can be led by IT, they don’t have to be. In fact the impact of a training Webcast led by the senior executive can be very effective in elevating employee awareness of the need for password protection. As Sprang notes of the efforts of Quest’s executive team to continuously promote better password management, “I’ve relayed the reports and findings to staff members in my training documents and all staff meeting notes and highlighted the issues regarding weak password and poor password security habits.”

Arm yourself with statistics and knowledge of the cyber security environment.

These training sessions above are great places to talk about recent cyber attacks and their corresponding negative impact on the organization. Most individuals read about the headlines of major attacks against mega-organizations. But with the help of research, such as this excellent report specifically about the cyber security challenge in the SMB, crime statistics and the impact of cybercrime become a lot more personal. As you will see, this unique report details that passwords are widely held to be an essential piece of the security puzzle. But at the same time, the report shows that 60% of SMB employees use the same password for everything! Snippets such as these doled out by senior executives can be very compelling. At Quest, Sprang says, “I have stressed the use of unique, non-repeating, highly randomized, and maximum length passwords as vital to our security and our member data security.”

If cyber security is mission critical – and it is – then creating a culture of information security is among the most important roles executives can fulfill. And there is no substitution for leading by clear, unambiguous example.

Keeper Q&A: What You Can Learn From Michael Pound’s Scary Password-Cracking Video

by , on


Dr. Michael Pound’s current research focuses on image analysis for phenotyping crops, but you don’t have to be an expert in agriculture – or even computer science – to be frightened by this Computerphile video in which Pound demonstrates a deep-learning server called Beast at the University of Nottingham. Beast uses four parallel graphics processing units to test 10 billion hashes per second in a brute-force password crack using the hashcat password recovery utility.

In the first 15 minutes, Dr. Pound cracks nearly 30 percent of the entries in a 6,000-password list. He then uses a dictionary attack to reveal nearly half of the passwords in another file. And a computer like Beast costs about as much to build as a standard business server.

We contacted Dr. Pound, who is a computer science researcher and professor at the University of Nottingham, to get his insights on password vulnerability and what security administrators can do to better shore up their defenses. He was generous with his advice. 

How did you get interested in this topic in the first place? It seems somewhat tangential to your principal areas of focus.

Like many computer scientists, I find security inherently interesting. In this case, I was asked to teach the core security module at the university, which meant I had to thoroughly explore the area first. I’m continuing to teach this course, so I continue to keep up with modern security concerns as much as possible.

What are the most important messages you hope viewers will take away from the video?

My hope is that people who have assumed that an attack won’t happen to them might take some notice after seeing just how easy password cracking is. I’m not necessarily an expert in password cracking tools, and yet I was able to break half of the passwords in the file within a few minutes. This tells us something about the kind of passwords people use, and about how much work we need to do to educate people on this issue.

The machine you used is powerful, but hardly supercomputer capacity. How much faster could password cracking computers theoretically be?

The only limit is your finances. I think a small cluster of computers could operate perhaps 10 times faster than our server. Then nine characters may no longer be enough. Luckily for us, it’s unlikely that the criminals would bother with this kind of expenditure. There are so many ways to crack passwords even with slow machines that their time is better spent with the most vulnerable passwords, rather than trying to crack that last 25%.

Having looked at thousands of passwords in your research, what do you see as some of the most common mistakes people make?

People make the same mistakes over and over. Aside from the obvious ones, like using your own name or common words, the ways people usually attempt to make a password more secure often offers little improvement. If they add a number, it’s usually a couple of digits at the end. Or they perform a common substitution, like replacing “I” with “1.” The same is true of symbols. Common substitutions like “@” for “a” and “$” for “s”  are easily broken, yet people do that because it’s easy to remember.

You called the Rockyou list a “game-changer.” Why do you believe that’s the case?

Prior to Rockyou, attackers had intuition about the kinds of passwords people used, but still had to generate the lists themselves. Usually they’d use common dictionary words with a few rules applied. Rockyou’s list had millions of actual passwords, which can be adapted into millions more through rules changes. The number of possible password guesses that can be generated from this list is massive, and as some of the Rockyou passwords are complex, they lead to the cracking of previously “unbreakable” passwords.

The Yahoo hack is reported to have encompassed nearly half a billion passwords. Do you anticipate any fallout when that list makes it onto the Dark Web?

That would be very worrying. Rockyou may prove to have been more of an incremental change, but a half billion new passwords will allow hackers to break almost anything that doesn’t follow strict security guidelines about length and derivation. The onus will be on users to secure passwords better than ever, and on organizations to apply the best hashing algorithms.

You were pointed in your remarks about the weaknesses of the MD5 hash algorithm. What do you believe is an alternative that provides a baseline of good security?

Most modern hashing algorithms produce hashes of sufficient length to avoid naturally occurring collisions. However, as we saw in the video, we’re not waiting for these collisions to happen naturally; rather, we’re making educated guesses. An important aspect of a modern hashing function is the speed at which we can use it. PBKDF2 will perform multiple rounds of hashing using a hash function like SHA-256, so as long as the number of rounds is high enough, cracking becomes much more impractical. Other algorithms, like bcrypt, are specifically designed to be a pain to exploit on the GPU, slowing them further. The best advice I can give is to pick a hash function of suitable length and difficulty, then repeat it as many times as possible.

What do you believe is the current minimum safe length for a secure password made up of random characters? Given what you know about the rate of advance in computer technology, what do you think the minimum safe length will be five years from now?

If your password is completely random, and includes symbols, nine characters is probably a safe position to start. Dictionary attacks aren’t effective against random passwords. A brute-force attack might get lucky at nine characters, but it’s not likely. Luckily for us, the difficulty of brute-forcing a password increases exponentially, so while nine characters might be feasible to crack in five years, 10 definitely won’t be. The vast majority of my random passwords are 12 and 16 characters long, and I use a password manager to make sure I keep track of them.

Why are dictionary cracks more effective than brute force cracks?

Since people often don’t use truly random passwords, dictionary attacks can be brutally effective. While a brute-force attack becomes challenging at eight characters – and impossible at 10 – no such restriction affects dictionary attacks. If your password comprises smaller parts, each of which happens to appear in the dictionary, it could be cracked even at 20 characters or more. As always, avoiding common words and digit combinations can help a lot here.

It’s been said that quantum computers will be able to crack 512-bit encryption algorithms in seconds. Once those machines are commercially available, will passwords even be viable anymore?

Luckily for us, and perhaps counter-intuitively, many hashing algorithms can stand up to quantum attacks. Quantum computers aren’t simply computers that run very fast; they have a unique architecture. While they are capable of quickly solving problems like integer factorization, which lies at the heart of RSA encryption, they can’t cycle through bcrypt hashes much faster than a modern machine can.

This is good news, but your system is only as secure as its weakest link. If your key exchange and encryption algorithms are compromised, then the security of your password in transit is lost. Researchers are focusing their efforts on “post-quantum” cryptography, in an attempt to move towards algorithms that resist this new technology.

Any other advice for security administrators?

I would advise administrators to begin moving away from the old security models that force users into large character sets and frequent password changes. A better approach is to educate users in the use of random and unique passwords, and provide them with access to password management software to help them. If a company enforced the use of password management software for all employees, I’d guess that we’d find the instances of weak and forgotten passwords would decrease significantly.

Keeper Customer Profile: Mike Maddaloni

by , on


PDF version here.

Cyber security becomes more important every day as hackers continue to target users for personal information that can be sold for a profit on the dark web. With more than 10 million consumers engaged with Keeper on a daily basis, we thought it would be a good idea to find out a bit more about our customers and share how Keeper helps simplify and protect their digital lives.


What kind of files (e.g. passport, credit card numbers, photos, license, etc.) do you store in Keeper’s encrypted vault?
Well, I don’t want to divulge specifically everything, but I started by keeping copies of non-vital cards, store affinity card and my AAA card, and now I do have copies of some vital documents I need to reference on a regular basis. I admit that at first when Keeper started offering file storage I was not immediately drawn to it, but now I rely on it on an almost daily basis.

Why did you decide to deploy a password manager?

Like everyone, you have unique logins and passwords for online services. I had this for my own personal use, plus all of my clients for my web consulting business. Using password-protected spreadsheets can only get you so far, plus you don’t have the ability to have ready access to them whenever and wherever you need them. So it’s needless to say I am using Keeper almost everyday that I am using a computer.

 When did you start using Keeper?

Over 5 years – I looked and found an encrypted backup going back that far! I first started using it for my former Web consulting business, and eventually transitioned it to my own personal use.

How many passwords does Keeper store for you?

674 (as of June 14, 2016)

What is one thing you would recommend to a new Keeper user?

Although Keeper has the ability to bulk-upload information, I manually copied and pasted everything from my spreadsheets. That ensured me I was moving over actual information I would be using. As I became more reliant on Keeper, it was an added incentive to get everything I had, in multiple files, in one place. This is also a good method to follow if you are not sure you need Keeper or not.

What are two benefits you get from utilizing Keeper?

Cross-platform access as well as synchronization of information and files 2. Outstanding reliability – I can’t recall a time over the five years that Keeper didn’t work, which speaks a lot for its engineering

What features would you like to see added to Keeper in future versions?

I would like to see some additional ways to view information, such as in a grid, almost like in a spreadsheet view. As well, I would like the iPhone app to be able to choose what mobile browser I would like to open a link to.

You can follow Mike on Twitter @thehotiron.

7 Tips for Keeping Kids Safe Online for #CyberAware Month

by , on


For National #CyberAware month, we are offering 50% off the Keeper Family Plan with code “NSCAM”.

Click here – hurry, this deal will end soon!

Today’s youth are often called “digital natives” because they are so comfortable with living online. But much as we may admire their proficiency with their devices, we shouldn’t forget that security is probably not top of mind.

Innocent young minds don’t grasp the concept of identity theft or understand the consequences of a ransom attack. In recognition of National Cyber Security Awareness Month, here are some things you can do to keep them – and your entire family – safe.

Keep family computers in an open area. This allows you to monitor what’s on the screen and to check back on activity later. In particular, keep an eye on chat sessions, which is where predators lurk.

Be sure security software is installed and updated. At the very least, you need anti-malware and anti-spyware packages. A password manager is also a good idea for creating and saving passwords that can’t easily be compromised by hackers.

Give children their own accounts on shared computers. This enables you to limit the software they can access and to define unique controls on each account.

Don’t permit kids to download and install software without your oversight. Free software downloads are a primarily medium for spreading spyware.

Use parental controls in web browsers. These enable you to block unsafe sites, disable potentially malicious scripts and review browsing history to see what your kids have been doing when you weren’t watching. Here is a good guide to implementing parental controls in major browsers.

Have a talk. Remind kids of a few basic protections. Never click on unknown links. Never open email attachments. Never respond to chat messages from people they don’t know. Never “friend” strangers. Don’t bully others and alert parents if they suspect they are the targets of a bully.

Have logins to kids’ social accounts such as Facebook, Snapchat and anywhere else private conversations go on. This not only enables you to keep an eye on what they’re doing but to spot malicious activity by others that’s directed at them.

For additional protection you can install activity monitoring software that keeps detailed records of everything that happens on your computer. Examples include Cyber Patrol, Cybersitter, Net Nanny and SpyAgent. But if you follow the advice above, you probably don’t need additional protection.

Above all, stress to your children that your monitoring and cautionary steps are for their protection. Even if they don’t understand the risks that are out there online, they know that you have their best interests in mind.

Q&A with Benjamin Caudill: Five Most Vital Cybersecurity Considerations for the SMB

by , on


Benjamin Caudill – a veteran penetration tester - has broken into organizations, large and small, just about everywhere. In doing so, he has exposed security vulnerabilities and numerous pathways for hackers to do their worst to unsuspecting businesses.

Caudill, who was dubbed a ‘deadly force that could easily penetrate and exploit a firm’s most private files’, was always on the right side of the law – a good guy whose cyber hacking is intended to strengthen cyber defenses. Today he is also founder and CEO of Seattle-based Rhino Security Labs, where he still does penetration testing as well as application security assessments.

We recently asked Caudill to list the most vital cyber security considerations for the SMB, based on his extensive hands-on experience. Here’s what was said.

Ignore the basics – at great risk. With security certainly in the SMB, probably 80% of the attacks and threats can be mitigated by 20% of the protections that should be in place. These aren’t the sexy ones either. They are the basics, like password control, patch management, defining policies, educating all employees about being cautious about opening emails they can’t identify, and don’t make your WiFi public. These basics are usually inexpensive, even free at times. Attending to basic security principles will make it very hard for the every-day hacker. Many of the successful attacks we have analyzed result from one or more of these basics simply not being followed or in place. Don’t be overwhelmed as an SMB when you read about the really big guys getting breached. They have their own problems. For the SMB, basics can and do make a big difference.

Attackers follow a path of least resistance. If you leave a door open at home, it’s not like it takes a lot of sophistication to break in. Attackers are very opportunistic. Valid email addresses, a company website, and seemingly common things can be used for malicious purposes like hosting illicit content or sending spam emails. I see it very commonly from start-ups to big companies that the sense is ‘well we aren’t a hospital or credit card company and therefore who’d want to hack into us?’  In the huge Home Depot breach a couple years ago, one famous quote attributed to company managers when employees asked for advanced security training was, “We sell hammers.” But what was stolen was data on 56 million credit cards. That mentality is seen in all sorts of companies, certainly in SMBs.

Security goes beyond the technology. In reality, technology is a minority of what the overall cyber security focus should be. People, process and culture are what matters most. We worked with a large start-up whose culture was very open in every sense. Our penetration testing showed they were just Swiss cheese when it came to information security. They pretty much had all the technology in place. But you could walk in off the street and just about stroll into the data center. There was no badging, no questioning of people. Technology was not the problem. It was their culture as it pertained to security. Do you in the SMB know what people, based on their specific roles, should have access to what data? We see that many if not most security problems are people or process problems. Employees must understand why security is mission-critical, and also understand their specific role in promoting it. That kind of message has to come from the top.

Know your data. We see situations where all data is protected equally, and that is not right. If you don’t know the value of your data and what is most valuable, you won’t protect it properly. As the saying goes if you protect your toothbrushes like you protect diamonds, you are going to lose a lot more diamonds! Also you must know where your data is going. Are you sharing credit card information with an overseas partner? Do you know what their security protocols are? What governing body there is in charge should something go very wrong with that data? There is an important data sensitivity criticality process that needs to be followed, and all too often we see this acknowledged only after a major breach.

Don’t go it alone. We typically rely on specialists for everything from building houses to doing our taxes. Doing security alone is risky. Yes the IT department can take care of firewalls and some intrusion prevention measures. But for total cyber security the SMB needs third party specialists. They have the resources, people and experience to analyze and advise. Look for a partner that really puts two-way communications at the forefront of your relationship. Don’t worry about vertical market expertise, which is maybe 5% of the security equation. And talk to your peers to see whom they like.

Password Management Is Much More Than an IT Problem

by , on


Two years ago the CIO at Quest Credit Union  had no problem extending responsibility for password management beyond just the IT department. That’s because C-suite executives were using a password management solution for personal use. Thus getting the the organization aligned with an enterprise password management solution was almost automatically a shared responsibility.

There are many compelling reasons why small and mid-sized businesses (SMBs) absolutely must make password management an organization-wide effort, not just an issue delegated to IT. Unfortunately in many SMBs today, this responsibility is left entirely with IT. In doing so, these organizations run the greater risk of failing to build a risk-aware culture across the organization – an effort aimed at ensuring every employee knows exactly why cybersecurity is mission-critical today.

The landmark Ponemon Institute State of Cybersecurity in SMBs, which polled some 600 SMBs, found that 71% of respondents emphasize password protection and management as important. Surprisingly in 60% of these businesses, IT has no visibility into employee password practices. In SMBs that do have password policies, 65% do not strictly enforce them.

Could the reason be that IT alone does not have the weight or influence to affect password policy enforcement?

A recent report from PwC piles on even further. In its Global Economic Crime Survey 2016, PwC says that all too often non-IT executives are more than willing to pass the buck to IT when it comes to cybersecurity in general, of which password management is a key element.

This is wrong, PwC maintains, adding that responsibility for all aspects of cybersecurity “must be embedded within an organization’s culture.” Non-IT executives must “incorporate cybersecurity into their routine risk assessments and communicate the plan up, down and across organizational lines, ” PwC states.

Juliet Maina, an attorney who frequently writes on cybersecurity and the law, suggests that non-IT executives may put their organizations at risk if they cannot show a concerted effort to involve themselves in cybersecurity strategy, including password management. “Cybersecurity is and needs to be acknowledged as an executive level concern,” she notes. “As the leader of a company, one ought to be aware of the defense strategies that are in place, and ensure that holistic approaches are taken towards ensuring security and the protection of investments. This top-down approach is crucial for success.”

With password management being a key element of an overall cybersecurity strategy, what can be done in practical terms to begin to shift the responsibility for such strategies to a broader coalition of C-suite managers? As it turns out, IT can take the lead in this important, company-wide effort.

Educate, don’t scare. Many C-level executives shun cybersecurity involvement and responsibility because they don’t fully comprehend the supreme value of data in their own organizations – and therefore the dangers of a breach or attack. It’s easy to see why matters like data compliance and regulation might not interest them. Your job as the IT leader is to put those matters in proper context. Non-compliance, breaches and attacks have very real and very costly consequences. The PwC report shows that only 37% of organizations have a management-backed cyber incident response plan in place. Now is the time to distinguish your SMB from the majority of companies where senior management is a silent partner in password management and cybersecurity.

Cybersecurity is mostly about people Ask most C-level SMB executives if their companies are protected and they’ll likely answer, “Sure. We got firewalls and antivirus stuff.” As the IT leader you know the reality is that it is human error, or deliberate acts by employees, that are at the root of cybersecurity challenges. Getting senior management firmly behind a comprehensive password management strategy is one of the fastest ways of reaching virtually every single employee with a powerful, unified message that cybersecurity is everyone’s responsibility. When senior management endorses and funds such a password management strategy, every worker becomes responsible and accountable for cybersecurity.

Cybersecurity is not a one-off. It is one thing to get senior management involved in a password management and general cybersecurity strategy, and another to keep them involved. That’s why part of the education of the C-suite is the message that security is an ongoing, evolving endeavor that needs regular review meetings. These are best led by IT leaders, who are well suited to put changes to the threat environment in concrete business terms. It is this periodic engagement with senior management that can ensure password management and cybersecurity is never again considered ‘just an IT problem.’

20 Fascinating Facts about Passwords

by , on


1) These five user passwords accounted for 3.2 million of the 130 million accounts that were stolen in the Adobe hack of 2013: “123456,” “12345678,” “Password,” “Adobe123” and “12345678.” source

2) An analysis of 11 million stolen passwords for cloud services conducted by Skyhigh Networks found that just 20 passwords constitute 10.3% of all passwords in use.

3) The minimum password length experts now recommend to avoid being compromised by brute-force cracking is 13

4) In 2012, a password-cracking experts unveiled a five-server clustered computing environment powered by 25 graphics cards that could cycle through 350 billion password guesses per second.  That means it could try every possible Windows passcode in a typical enterprise in less than six hours. There is no record of anyone building a faster machine since.

5) About 40% of organizations store privileged and administrative passwords in a Word document or spreadsheet.

6) It would take a typical brute-force password cracking program 12 years, four months and 16 days to unscramble the random eight-character password “z7S69s@9.” Source

7) The same password would have taken a cracker built with 1990 technology 6,495 years.

8) In 2020 it’ll take about 9 years, six months and 18 days.

9) Experts believe a quantum computer will be able to do it in less than five seconds.

10) When people are asked to include a number in a password, the majority simply add a “1” or a “2” at the end.

11) Two-thirds of people use no more than two passwords for all their online accounts. Source

12) The top 10 most-used password list has barely changed in the last five years.

13) Experts says a great technique for creating a secure password is to use the first letter of each word in a phrase (esagtfcaspitutfloewiap). Mixing in a single random symbol (!*$@) dramatically improves security.

14) Thirty percent of phishing emails get opened. Source

15) Nine out of 10 phishing emails carried ransomware in March, 2016. Source

16) Many experts now believe that frequent password changes actually worsen computer security because people tend to choose minor variations of their current passwords so they’ll be 17 easier to remember.

17) This is a list of the 10,000 most frequently used passwords. If any of yours are on it, your account will be compromised in seconds by any of the most common dictionary-based cracking tools.

18) Retail was the most-targeted industry for phishing attacks in the first quarter of 2016 by more than a two-to-one margin over any other industry. Source

19) An eight-character password using only upper- or lower-case characters has 200 billion potential combinations. Source

20) An eight-character password using a combination of upper- and lower-case characters has 53 trillion billion potential combinations. - Source

Proposed New York Cybersecurity Rules Merit Our Attention

by , on


Regulators in New York State are proposing tough new restrictions on banks that could require them to spend millions of dollars on cyber security protection. We recommend you keep an eye on this proposed legislation in case it becomes a model for other states and industries.

Among the measures in the proposed regulations, which are open for public comment until Nov. 13, are requirements that banks hire a chief information security officer and implement technology to detect cyber intrusions and protect customer data. The proposal contains required minimum standards and allows companies to assess their own risks to some degree. One thing that will get the attention of top executives is that board officers or senior compliance officers will be required to certify the controls are adequate, implying that they may be personally liable if they aren’t.  

The proposed regulation by the New York State Department of Financial Services (DOFS) doesn’t say how the rules would be enforced or what the penalties would be, but it notes that regulated entities “will be held accountable and must annually certify compliance with this regulation by assessing their specific risk profiles and designing programs that vigorously address those risks.” The annual re-certification rule indicates that regulators are taking this initiative seriously.

Why should you care, particularly if you aren’t a New York-based financial firm? There are several reasons:

  • The DOFS is responsible for more than 1,000 New York-based banks, insurance companies and other financial services companies, including some of the largest financial firms in the world. It also regulates several large foreign banks, including Deutsche Bank and Barclays. Some of these companies are global in scope, and it’s a safe bet that the security policies they adopt at the corporate level will trickle down to subsidiaries in other regions and industries.
  • By making board-level officers directly accountable for security practices, New York regulators are attempting to raise security awareness to the highest levels of the organization. What happens in banking will impact other industries as well, particularly since many directors serve on multiple boards.
  • The DOFS didn’t create this proposal in a vacuum. Regulators took pains to point out that they solicited input from more than 200 regulated banking institutions and insurance companies. It also met with a cross-section of those companies, as well as cyber security experts, to determine the most effective course of action. Three reports resulted, which you can find here.

Not everyone is thrilled with this proposal, and there’s no guarantee it will survive in its current form. But the task of implementing substantive change in the way corporations secure customer data has to begin somewhere, and lower Manhattan is a pretty good start. If these regulations are effective in reducing the incidence of breaches at financial institutions, it’s like other industries will take note as well.


How Password Crackers Work and How to Stay Protected

by , on


Cracking a password may seem like a next to impossible task, but you’d be surprised how easy it can be. There are dozens of password cracking programs on the market, each with their own special recipe, but they all basically do one of two things: create variations from a dictionary of known common passwords or attempt every possible combination using a method called a brute force attack. Let’s look at how each technique works and how to protect against them.

It’s important to understand at the outset, that professional password crackers aren’t looking to log in to your PayPal account. That process is slow to begin with, and most services will lock out repeated login attempts anyway. Rather, the pros work against password files that they download from breached servers. These files are usually easy to access from the root level of most server operating systems or are maintained by individual applications. These files may be protected with weak encryption algorithms, which are not much of an impediment to the determined hacker.

Once criminals obtain a password list they can take as many shots as they like to break it. Their goal generally isn’t to crack an individual password, but to run tests against the entire file, knocking down their targets one by one. Modern graphics hardware makes this incredibly fast. For example, some commercial products can test trillions of passwords per second on a standard desktop computer using a high-end graphics processor.

This table of password recovery speeds is truly scary. It shows that a seven-character password composed of upper and lower case letters and digits has 3.5 trillion permutations. While that may sound like a lot, today’s speedy desktop computers can test all of them in an hour or two. An engineering workstation, or several PCs strung together, can finish the task in 10 seconds.

Let’s look at the two most common password-cracking techniques.  

Dictionary Crack

This technique uses lists of known passwords, word list substitution and pattern checking to find commonly used passwords, or those that are discoverable with a bit of personal information. It isn’t difficult to find lists of compromised passwords. Sites like PasswordRandom.com publish them, and much large lists are available on the dark web at little cost. A criminal can probably unlock 10% to 20% of a password file using just the 10,000 most common passwords. In fact, it has been estimated that about 75% of online adults have used one or more of the 500 most popular passwords.

After decrypting the password file, a dictionary attack uses text strings and variations thereof to test different combinations. For example, many people append numbers to their names or user names, which may be stored in plain text. If a user named Robert has the password “Robert123,” a dictionary attack will figure that out in seconds. The software simply cycles through every possible combination to identify the ones that work.

If a little information is known about people in the database, the job is even easier. For example, people frequently use the names of children, addresses, phone numbers, sports teams and birthdays as passwords, either alone or in combination with other characters. Since most people append characters to the end of the password, it’s easy for dictionary cracks to cycle through all of those likely possibilities. Social media is an attacker’s dream. People freely post personal information in their profiles or tweet repeatedly about the sports teams or celebrities they follow. These are natural paths for a dictionary crack to pursue.


Brute Force Crack

This is just what it sounds like: a technique to reveal those stubborn passwords that can’t be unlocked by a dictionary. Today’s multi-core processors and graphics processing units have made brute force tactics more practical than they used to be. Machines that can be purchased for less than $1,000 are capable of testing billions of passwords per second. Short passwords are easiest to guess, so attackers typically use brute force tactics to unscramble the five- and six-character passwords that didn’t yield to the dictionary approach, a process that might only take a few hours. For longer passwords, brute force and dictionary techniques may be combined to narrow the realm of possible combinations. Some brute force cracking software also uses rainbow tables, which are lists of known codes that can sometimes be helpful in reverse-engineering encrypted text.

How vulnerable are password files to brute force attacks? In 2013 the tech news site Ars Technica gave an editor who had no experience with password cracking a list of 16,000 encrypted passcodes and challenged him to break as many as possible. Within a few hours, he had deciphered nearly half of them. The same list was then given to some skilled hackers, one of whom cracked 90% of the codes in about 20 hours.


Some Good News and Some Bad News

If some of the statistics cited above are intimidating, rest easy. The biggest problem with password protection is that many people don’t use strong passwords. The laws of mathematics dictate that longer passwords are harder to break than short ones, and passwords that contain random combinations of characters are more secure than those that conform to a known pattern. A 13-digit password that mixes alphanumeric characters and punctuation systems is considered impractical to break with today’s technology.

Unfortunately, few people can remember a random 13-digit string of characters, much less multiple strings for different logins. Equally unfortunate – from a security perspective – is that computers are getting faster and cracking algorithms are getting better. Five years ago, an eight-digit password was considered strong enough. Five years from now, 18 digits may be too weak.

This is where password management software is valuable. Password managers store passwords of any length and can regularly generate new passwords without the user having to bother to remember them. They can also be protected by two-factor authentication, which is considered to be almost unbreakable in any context.

By the way, in case you’re wondering why password-cracking programs aren’t illegal, it’s because there are perfectly valid and legal reasons to use them. Security professionals employ these tools to test the strength of their own software, and password crackers are widely used by law enforcement agencies to fight crime. As with any technology, these tools can be used for evil, as well as for good.

5 Cybersecurity Tips For Small and Medium Sized Businesses

by , on


Today, the attention of both IT and business managers in organizations of all sizes is fixed on cybersecurity. The reason is simple: Absolutely no organization is immune to cyber attacks in an ever-growing threat environment.

This is particularly true for SMBs. A recent major study of some 600 SMBs unearthed startling findings that more than half of them had experienced a cyber attack in the last year. The origins of the attacks are many and varied, with Web-based attacks, phishing and general malware topping the list.

Managers at small businesses cannot be blamed for feeling helpless against the threats at a time when huge corporations and even government agencies cannot protect themselves. But the truth is, a few simple, common sense tips can and will go a long way to protecting your small business from attacks that are inevitable.

  1. Deploy a comprehensive password management solution. This has to be high on the to-do list, if not at the top. Why? Because all your employees use passwords. And research shows that, left to their own devices, most employees will do a poor job of proper, effective password management, thus leaving themselves and the business open to attack.

For example, employees routinely use the same password for multiple online accounts. They also use simple easy to remember passwords that are very easy to hack.

Carefully chosen, a password management solution should provide IT and/or the business owner visibility into the password habits and practices of employees.  More importantly, the solution will help enforce correct password hygiene while improving employee productivity.

  1. Training is often the missing link. Cybersecurity awareness training is extremely effective in today’s threat environment. There is no excuse for omitting it in a small business because there are fewer employees to train. Training will educate employees on the most common vulnerabilities and attack points. Education should always carry a message of personal accountability so that everyone realizes they have a role to play in securing data and information assets.
  2. Cybersecurity is more than an IT issue. Security is more than just protecting computers and databases. It is about protecting the business. While one person should be responsible for security decisions, delegating cybersecurity in a small business to IT without company-wide support is often a mistake.

It is the business and financial leaders that know what data needs the most protection. Seen this way, cybersecurity is a risk management issue which IT can help address as part of a coalition of company leaders. Security should be tied to business objectives. All this and more is outside the usual purview of IT by itself.

  1. Data, data, who’s got the data? How can any business know if its data is safe if it doesn’t know where data resides and how it is stored? That is often the case today, where various third party and cloud providers store business data for their clients. Always ask, “Where will my data be hosted? Who has access to it? What monitoring is in place to alert me of a breach or unauthorized use? What safeguards are in place to protect me against potential rogue employees at your site?” Also carefully vet the provider’s data encryption policies and procedures. And be sure all your data is encrypted before it is stored in the cloud or anywhere online.
  2. Hackers take the path of least resistance. Often times the path of least resistance for hackers are employee-owned mobile devices. Don’t allow any unencrypted data on mobile phones, whether company-owned or BYOD. Device-based security policies, like those insisting the encryption be enabled at all times, can prevent illicit network access.

Remember: Solutions for complex security challenges don’t have to be complex.