Passwords are the weakest link in enterprise IT security: study

Passwords are the weakest link in enterprise IT security: study

Summary: Eighty percent of the security incidents studied by Trustwave were due to the use of weak administrative credentials.

TOPICS: Security

Organizations are spending millions of dollars to beef up their data, application and network security, but still keep overlooking one obvious area of exposure: user passwords.

The Trustwave 2012 Global Security Report has just been published, identifying areas of vulnerabilities that persist within organizations, and threaten data security. The report's authors studied more than 300 data breaches that occurred during the year 2011 across 18 countries.

The report observes that cyber attacks continue to rise unabated, and hackers are increasingly going after businesses' customer records. The risk is even greater for businesses frequented by consumers and brand name chains.

Technology solutions include Web application firewalls and network access control, and the data itself, such as encryption and data loss prevention.

However, much of the challenge comes from organizational and management issues. In 76% of incident response investigations, a third party responsible for system support, development and/or maintenance of business environments introduced the security deficiencies, the report observes. For Web-based attacks, SQL injection remains the number-one attack method for the fourth year in a row.

The report devotes most of its pages to the matter of weak password protection. Eighty percent of the security incidents studied by Trustwave were due to the use of weak administrative credentials. "The use of weak and/or default credentials continues to be one of the primary weaknesses exploited by attackers for internal propagation," the report observes. "This is true for both large and small organizations, and largely due to poor administration."

For example, in one instance, attackers were able to compromise as many as 250 unique critical systems at a single target location by exploiting duplicate credentials, the report says.

In fact, in many cases, thanks to lax or well-known default passwords, companies made it relatively easy for hackers and attackers to break in, and they didn't even need to use sophisticated methods of attack, the report states.  In fact, the password most widely used across the sites studied by Trustwave is "Password1." In addition, default passwords were used across a range of servers, network equipment, and client devices.  Other common password combinations were "pitifully simple," the report's authors note -- such as administrator:password, guest:guest, and admin:admin.

Trustwave identified the top overused passwords found in its survey. Variations of “password” made up about 5% of passwords and 1.3% used “welcome” in some form:

  1. Password1
  2. welcome
  3. password
  4. Welcome1
  5. welcome1
  6. Password2
  7. 123456
  8. Password01
  9. Password3
  10. P@ssw0rd
  11. Passw0rd
  12. Password4
  13. Password123
  14. Summer09
  15. Password6
  16. Password7
  17. Password9
  18. Password8
  19. password1
  20. Welcome2
  21. Welcome01
  22. Winter10
  23. Spring2010
  24. Summer11
  25. Summer2011

Note the prevalence of seasonal and date-related passwords. No doubt there are many systems with logins such as 'Spring12' now about to pop up.

One of the biggest issues is the fact that many applications and devices are shipped or installed with default usernames and passwords, often with full access rights. "These default passwords are frequently not changed, which can allow an attacker to use them to gain access," states the report.

"Systems using shared administrative username and password combinations, as well as mapped drives and open-by-default Windows hidden shares, enabled attackers to quickly identify additional targets, gain credentials and administrative access and then subsequently deploy their malware. These types of attacks can propagate across an entire small network (between one and 20 devices) in less than 10 minutes."

(Photo by Joe McKendrick.)

(Cross-posted at SmartPlanet Business Brains.)

Topic: Security

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.


Log in or register to join the discussion
  • Make strong random passwords & force users to type them in until remembered

    Biological/muscle memory will then make it easy from then on.
    • Good luck

      LoL, Good luck getting users to go with that. Kudos if you are able to get it right, but most users won't. :)

      We cycle passwords at intervals, so will you be willing to sit with 300 users each month to force them to remember a password? (Yes they cycling will still happen)
  • blank logins

    As a consultant found out that more than half of my clients had blank passwords, especially the administrators. Strange, the users themselves had passwords, weak to strong.
    When compiling a report I make a hypothetical scenario of what could happened if the system would be hacked, and of course how much it would cost to fix it and the cost of the inactivity of the users without counting the loss of clients.
    Vasco (IT-VFG)
  • Relative costs

    This is the kind of stuff that tends to happen when you hire the individual who will work the cheapest rather than finding someone who knows how to do the job properly.

    Attaching devices with default usernames/passwords? Really? The first thing that should be done is attaching it to a non-attached device and changing those. Anyone who is not doing so should not be working with company computer systems.

    And not auditing user passwords on the systems on a regular basis? There are automated tools to handle this for you so there is no excuse for not doing it. Or you can set up password policies in such a manner that a new password will not be accepted if it is not strong enough or would easily succumb to a hybrid dictionary-brute attack.