Why Password Management and Security Strategies Fall Short

  /     /     /  
Publicated : 23/11/2024   Category : security


Why Password Management and Security Strategies Fall Short


Researchers say companies need to rethink their password training and take a more holistic approach to security.



Industry researchers have grown concerned that security pros are making it too easy for hackers to prey on people.
One says that companies need to make password management easier, while the other emphasizes a defense-in-depth approach that includes both technology and training, thereby putting less of a burden on humans.
David Jacoby, a senior security researcher at Kaspersky Lab, found in
his firms study
that for less than $50, a criminal can buy a persons full digital identity. This includes personal data stolen from social media and bank accounts, gaming websites, and streaming media accounts.
Most of the data thefts are executed via spear-phishing or by exploiting security vulnerabilities in a Web application, Jacoby says. After a successful attack, the criminal will obtain a password dump, which contains a combination of email addresses and passwords for the hacked service. Because so many people use the same password for multiple accounts, attackers can also use this information to access accounts on other platforms.
One of the big problems is that people tend to reuse passwords, Jacoby says. I think weve not done a good job training users how to develop their passwords.
The industry, he says, stresses a technical solution, such as password managers, but the tools arent always easy for people to use. While Jacoby does recommend using a password manager and better security software for those who can manage them, for most people the best passwords are phrases unique to them, followed by a punctuation mark, then a unique identifier, he says.
So multiple passwords could look something like this:
Facebook: Ilikecars!friends
Netflix: Ilikecars!movies
PayPal: Ilikecars!money
By making their passwords unique and related to specific services, most people should be able to remember them, Jacoby says. He also recommends that people search a resource such as haveIbeenpwned.com to check whether sites they have accounts with have been compromised.
If you do a search and find that one of your accounts has been hacked, dont panic,” Jacoby advises. All you can do is move forward. Start by changing your passwords on the compromised sites, and slowly shift to either a password manager or the system Ive recommended based on unique identifiers.”
Dylan Tweney, head of the research program at Valimail, adds that while more effective password management makes sense, too often security pros blame users for all their problems.
Tweney points to recent Valimail
research
, which found that when it came to detecting fraudulent emails, there was virtually no difference between the scores of those who received anti-phishing training compared with those who didnt. Out of 11 emails, those who received the training identified 4.98 and those who didnt spotted 4.97.
Valimail recommends a more balanced approach that includes training, email authentication, deploying secure email gateways, and making sure spam filters are current.
The idea is to not make humans the front line of defense, Tweney explains. By taking on a more defense-in-depth approach, the burden on the humans is less, so theres a better chance that when emails do get through, the users will be able to detect them because they wont be overwhelmed.
Related Content:
7 Most Prevalent Phishing Subject Lines
Employees Share Average of 6 Passwords With Co-Workers
Not All Multifactor Authentication Is Created Equal
Weak Admin Password Enabled Gentoo GitHub Breach
 
Black Hat Europe returns to London Dec 3-6 2018  with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the
conference
 and
to register.

Last News

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Why Password Management and Security Strategies Fall Short