Just because it meets the complexity test does not mean it is secure.
By James Gorman, Lead Writer and Staff Reporter Cyber Defence Media Group
Most of the insider threats and some very public hacks (Yes I am talking to you, John Podesta) are due to poor password choice. But it is not just the basics of simply changing the default passwords. You have to change it to something complex, upper and lower case, numbers and special characters, it also has to be not easily guessed.
We had a new client that lost his password to his san. He did not remember it, and as he always used the same form of a password – company name with capitalization, a special character, and some numbers – creating a complex password, they thought they were secure. But in reality, it was a false sense of security there was an easily guessed password, and the company data was vulnerable to anyone who wanted to spend the time with a minuscule bit of information about the company.
Because we needed access to the san – I wrote a simple 47 line python script to churn through all the various options. It took us less than a minute to crack the password we were in. It helped me tremendously that they did not turn on any brute force blocking or disabling on failed attempts. It also helped that they had default usernames enabled. I only had to guess just a few of the 12 characters in the password. But because computing is cheap and time is not relevant when your computer does the work for you. I say helped, but for real it made the job of hacking in more straightforward and less time-consuming.
The main lesson learned here for my customer is password security is not hard, it just has to happen. For better security now they use strong random passwords generated by a program. Disable login for all default users. Brute force blocking with time outs of at least 15 min. Where applicable and especially for access to the systems remotely, two-factor logins and biometrics are utilized.
Thanks for reading – and stay hack free my friend’s End of article.
About the Author
James Gorman, CISO, BetterWorld Tech. James is a solutions-driven, results-focused technologist and entrepreneur with experience securing, designing, building, deploying and maintaining large-scale, mission-critical applications and networks. Over the last 15 years, he has lead teams through multiple NIST, ISO, PCI, and HITRUST compliance audits. As a consultant, he has helped multiple companies formulate their strategy for compliance and infrastructure scalability.
His previous leadership roles include CISO, VP of Network Operations & Engineering, CTO, VP of Operations, Founder & Principal Consultant, Vice President and CEO at companies such as GE, Epoch Internet, NETtel, Cable and Wireless, SecureNet, and Transaction Network Service.
James can be reached online at (email@example.com, TWITTER, etc..) and at our company website https://www.betterworldtechnology.com/