Passwords are the weakest link in enterprise IT security: study

Eighty percent of the security incidents studied by Trustwave were due to the use of weak administrative credentials.
Written by Joe McKendrick, Contributing Writer

Organizations are spending millions of dollars to beef up their data, application and network security, but still keep overlooking one obvious area of exposure: user passwords.

The Trustwave 2012 Global Security Report has just been published, identifying areas of vulnerabilities that persist within organizations, and threaten data security. The report's authors studied more than 300 data breaches that occurred during the year 2011 across 18 countries.

The report observes that cyber attacks continue to rise unabated, and hackers are increasingly going after businesses' customer records. The risk is even greater for businesses frequented by consumers and brand name chains.

Technology solutions include Web application firewalls and network access control, and the data itself, such as encryption and data loss prevention.

However, much of the challenge comes from organizational and management issues. In 76% of incident response investigations, a third party responsible for system support, development and/or maintenance of business environments introduced the security deficiencies, the report observes. For Web-based attacks, SQL injection remains the number-one attack method for the fourth year in a row.

The report devotes most of its pages to the matter of weak password protection. Eighty percent of the security incidents studied by Trustwave were due to the use of weak administrative credentials. "The use of weak and/or default credentials continues to be one of the primary weaknesses exploited by attackers for internal propagation," the report observes. "This is true for both large and small organizations, and largely due to poor administration."

For example, in one instance, attackers were able to compromise as many as 250 unique critical systems at a single target location by exploiting duplicate credentials, the report says.

In fact, in many cases, thanks to lax or well-known default passwords, companies made it relatively easy for hackers and attackers to break in, and they didn't even need to use sophisticated methods of attack, the report states.  In fact, the password most widely used across the sites studied by Trustwave is "Password1." In addition, default passwords were used across a range of servers, network equipment, and client devices.  Other common password combinations were "pitifully simple," the report's authors note -- such as administrator:password, guest:guest, and admin:admin.

Trustwave identified the top overused passwords found in its survey. Variations of “password” made up about 5% of passwords and 1.3% used “welcome” in some form:

  1. Password1
  2. welcome
  3. password
  4. Welcome1
  5. welcome1
  6. Password2
  7. 123456
  8. Password01
  9. Password3
  10. P@ssw0rd
  11. Passw0rd
  12. Password4
  13. Password123
  14. Summer09
  15. Password6
  16. Password7
  17. Password9
  18. Password8
  19. password1
  20. Welcome2
  21. Welcome01
  22. Winter10
  23. Spring2010
  24. Summer11
  25. Summer2011

Note the prevalence of seasonal and date-related passwords. No doubt there are many systems with logins such as 'Spring12' now about to pop up.

One of the biggest issues is the fact that many applications and devices are shipped or installed with default usernames and passwords, often with full access rights. "These default passwords are frequently not changed, which can allow an attacker to use them to gain access," states the report.

"Systems using shared administrative username and password combinations, as well as mapped drives and open-by-default Windows hidden shares, enabled attackers to quickly identify additional targets, gain credentials and administrative access and then subsequently deploy their malware. These types of attacks can propagate across an entire small network (between one and 20 devices) in less than 10 minutes."

(Photo by Joe McKendrick.)

(Cross-posted at SmartPlanet Business Brains.)

Editorial standards