Why Password Management and Security Strategies Fall Short

Researchers say companies need to rethink their password training and take a more holistic approach to security.

Industry researchers have grown concerned that security pros are making it too easy for hackers to prey on people.
One says that companies need to make password management easier, while the other emphasizes a defense-in-depth approach that includes both technology and training, thereby putting less of a burden on humans.
David Jacoby, a senior security researcher at Kaspersky Lab, found in
his firms study
that for less than $50, a criminal can buy a persons full digital identity. This includes personal data stolen from social media and bank accounts, gaming websites, and streaming media accounts.
Most of the data thefts are executed via spear-phishing or by exploiting security vulnerabilities in a Web application, Jacoby says. After a successful attack, the criminal will obtain a password dump, which contains a combination of email addresses and passwords for the hacked service. Because so many people use the same password for multiple accounts, attackers can also use this information to access accounts on other platforms.
One of the big problems is that people tend to reuse passwords, Jacoby says. I think weve not done a good job training users how to develop their passwords.
The industry, he says, stresses a technical solution, such as password managers, but the tools arent always easy for people to use. While Jacoby does recommend using a password manager and better security software for those who can manage them, for most people the best passwords are phrases unique to them, followed by a punctuation mark, then a unique identifier, he says.
So multiple passwords could look something like this:
Facebook: Ilikecars!friends
Netflix: Ilikecars!movies
PayPal: Ilikecars!money
By making their passwords unique and related to specific services, most people should be able to remember them, Jacoby says. He also recommends that people search a resource such as haveIbeenpwned.com to check whether sites they have accounts with have been compromised.
If you do a search and find that one of your accounts has been hacked, dont panic,” Jacoby advises. All you can do is move forward. Start by changing your passwords on the compromised sites, and slowly shift to either a password manager or the system Ive recommended based on unique identifiers.”
Dylan Tweney, head of the research program at Valimail, adds that while more effective password management makes sense, too often security pros blame users for all their problems.
Tweney points to recent Valimail
research
, which found that when it came to detecting fraudulent emails, there was virtually no difference between the scores of those who received anti-phishing training compared with those who didnt. Out of 11 emails, those who received the training identified 4.98 and those who didnt spotted 4.97.
Valimail recommends a more balanced approach that includes training, email authentication, deploying secure email gateways, and making sure spam filters are current.
The idea is to not make humans the front line of defense, Tweney explains. By taking on a more defense-in-depth approach, the burden on the humans is less, so theres a better chance that when emails do get through, the users will be able to detect them because they wont be overwhelmed.
Related Content:
7 Most Prevalent Phishing Subject Lines
Employees Share Average of 6 Passwords With Co-Workers
Not All Multifactor Authentication Is Created Equal
Weak Admin Password Enabled Gentoo GitHub Breach

Black Hat Europe returns to London Dec 3-6 2018 with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the
conference
and
to register.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Why Password Management and Security Strategies Fall Short