Poorly managed password security poured fuel on hacker fire in 2014

Report says lack of basic password security was a top concern among researchers and a major factor in data breaches during 2014

How do security fundamentals come to be described that way when so many enterprises ignore them?

While enterprises are overlooking these building blocks, hackers surely are not, according to the IBM X-Force Threat Intelligence Quarterly released this week.

"One of the best examples of the importance of basic security fundamentals was with password security, which continues to be a major factor in data breaches," the report said. "The ability for attackers to gain access as a result of poorly managed authentication policies is concerning."

Overall in 2014, approximately one billion records of personally identifiable information (PII) were leaked online, according to the survey. (My colleague Charlie Osborne reports on the scope of the survey).

Credit: IBM

The report said users with predictable or weak passwords, and passwords reused across the Internet and the enterprise continue to be fertile ground for launching data breaches.

It's the weakest link in the chain; end-users (and often IT admins) opting for ease-of-use over security. It's a reality that continues to lengthen the poor track record of the password, and on the bright side could help hasten new authentication methods.

The report says the millions of email address and plain-text passwords collected by hackers over the years are the starting points for compromising new sites, making password reuse a fatal flaw of end-users who are putting themselves at risk for brute-force attacks against their accounts.

In March 2013, Lance Spitzner, director of the "Securing The Human" program at the SANS Institute, said password reuse was No. 2 on his list of the top seven human risks associated with computing (Phishing was No. 1). It doesn't appear much has changed in 24 months.

Last year, Dropbox reported six million user accounts were compromised and that hackers were using login data collected during other breaches at other sites as one of their tools.

A similar password reuse attack happened at Best Buy in 2012. This pattern is what the IBM X-Force report is detecting.

Another soft spot, the IBM report notes, is the use of default passwords that ship with hardware and other devices.

"Several retail breaches in the last year were perpetrated by attackers who remotely accessed point-of-sale (POS) servers by using default or known log-ins to screen-sharing software used for legitimate technical support troubleshooting," the report said. "These breaches demonstrate that fundamental security practices, such as changing default account passwords, are still not being implemented adequately."

These flaws, which show disregard for security fundamentals and have had known mitigation for years, are one of the reasons the trends outlined in the IBM X-Force report will be difficult to reverse.