Firms urged to tighten up access policies
Survey reveals worrying lack of security
Half of us keep our passwords on Post-It notes and over a third of IT professionals say they could still access their company's network if they left their job.
These are just some of the worrying findings of a survey released on Tuesday by Cyber-Ark Software, which carried out the research at last month's Infosecurity Exhibition as part of the firm's annual investigation into trust, security and passwords.
"Companies need to wake up to the fact that if they don't introduce layers of security, tighten up who has access to vital information, and manage and control privileged passwords, then snooping, sabotage and hacking will continue to be rife," said Calum Macleod, European director for Cyber-Ark.
More than half of those surveyed said they still keep their passwords on a Post-It note; this is in spite of all the warnings to be more protective of passwords. This year's survey revealed that the 50 per cent number now applies to IT professionals as well.
Also, more than one-third of IT professionals admit they could still access their company's network once they'd left their current job, while over 25 per cent of respondents said they knew of another IT staff member who still had access to sensitive networks even though they'd left the company a long time ago.
These figures may be explained by the fact that 20 per cent of all organisations admitted that they rarely changed their administrative passwords. with a worrying 7 per cent saying they never change them. Eight per cent of IT professionals revealed that the manufacturer's default admin password on critical systems had never been changed, despite this being the most common way for virus writers to break into corporate networks.
"The easiest way to infiltrate a company's network is to look for administrative passwords which are left blank, still have the manufacturers default password or just use obvious names. Once you find these, which are unbelievably simple and common to find, you're into the system and have the highest level of authority - you've got control of the company's system."
Those are the words of Gary McKinnon, who has been named as the "most profligate military hacker of all time" and who is still waiting to be extradited to the US for gaining entry to 90 computers at the US Department of Defense.
Fifteen per cent of companies interviewed said they had experienced insider sabotage, an unsurprising statistic if you consider that over 33 per cent of IT staff said they use administrative passwords to snoop around corporate systems. This snooping has the potential to turn ugly if IT workers feel disgruntled or if they've been fired.
Copyright © 2007, ENN
You know why they keep passwords on post its?
Because we continually force them to change them every 30, 60 or 90 days.
So coming up with a new set of passwords, that aren't dictionary words, are sufficiently long and contain different types of characters to be sufficiently complex - then forcing them to continually change them - is a crazy way to do security.
The best solution, which is of course expensive beyond belief, was the one that investment bankers use. The server itself continually changes each account's password every 15-20 minutes or so - then sends that password (encrypted of course) to a device much like a pager.
The pager-like device decrypts the password and the user enters it in.
Obviously there are flaws, obviously if you lose your pager thing then you're stuffed. Obviously you have to be trained not to leave it lying around on your desk - but it is the best solution I've seen.
The biometric thing doesn't work, in fact most of them are just glorified mini-scanners that can be fooled by a photo copy of a finger print. Not only that, but just about every one of them has a password override - in case someone breaks the fingerprint scanner or has all their fingers chopped off. Most actually state on the box they're not intended for high-security use.
The type that would work is considerably more expensive than the pager thing.
"...over 33 per cent of IT staff said they use administrative passwords to snoop around corporate systems. This snooping has the potential to turn ugly if IT workers feel disgruntled..."
Doesn't surprise me at all - I've been reading BOFH for years.
The average luser may not have any grasp on password security and usage but it is rather depressing that many sysadmins appear to know no better. Still, looking on the bright side, lusers' predictability and laxness makes it much easier to get into their email accounts and find out what they _really_ think about the IT Dept.
One place I used to work, the sysadmin's sidekick (a sort of proto-PFY but without the youthfulness, the charm and the good nature) used to come in half-an-hour early and have a rummage around colleagues' machines. So I set a boot password in the BIOS on mine. Knowing he'd simply open the box and jumper the BIOS back to default, I left a note - big letters in felt tip on A4 paper - inside the case saying "F**k off Dave, you arsehole, we all know what you're doing". OK, not the BOFH's level of revenge but what can ya do?
No magic pass
People put their passwords on post-it notes because they have too many passwords to remember them all, or because their passwords aren't sufficiently memorable.
I don't know what the answer is, but it's *not* yet more passwords and it certainly isn't yet more complex passwords, and forbidding post-its only deals with the symptoms not the problem.
The only real answer is no passwords at all. But that requires some sort of "hardware" to act as a key, and that hardware can be stolen or copied.
On the other hand, nobody suggests that doors shouldn't have keys just because keys can be copied or stolen.
No change there then
Walk into my office and you'll always hear the sound of cranium against plasterboard as i report on this very issue virtually daily.
Late last year I opened a Canadian discount brokerage account. The rep typed in his 6 digit code while I watched. I commented that passwords should be at least 8 digits long. I thought he'd take the hint that I'd watched him type in his password. He replied 6 digits was the minimum allowable and he had to change it every three months so it was a bit of a chore to use more than 6 digits. Tellers at a credit union I use routinely type in their passwords open to my view. I guess it's a good thing the majority of Canadians earn a decent living and aren't tech savy.