Despite Public Data Breaches, Password Security Still WeakBy Channel Insider Staff | Posted 2011-06-20 Email Print
Re-Thinking HR: What Every CIO Needs to Know About Tomorrow's Workforce
Online users are still lazy about password security, meaning companies shouldn't rely on them to protect corporate data.
Despite repeated reminders to select strong passwords and not to reuse them across Websites and services, online users continue to be frighteningly lax in their password security, according to a recent analysis of leaked passwords.
Security experts recommend taking a multilayered approach to security. Instead of relying on a single point of failure, organizations should be implementing several mechanisms to make it harder for cyber-attackers to steal sensitive, confidential data, Mike Yaffe, government security strategist at Core Security, told eWEEK.
Considering how easy it has become to steal passwords, using phishing emails or by installing keyloggers on a target computer, relying solely on passwords to protect data is very risky, Yaffe said.
Organizations are often leery of putting up any security measures that may affect the user experience and interrupt workflow because they are worried users will get annoyed and go elsewhere. But some tolerance for inconvenience is necessary, since it will result in a significant boost in security, Yaffe said. Many banks are rolling out additional protections such as image verification and hardware tokens, which may feel a little tedious, but Yaffe said he s willing to put up with them because he would rather be overprotected than underprotected.
Other protections include multiple security questions, forcing users to change passwords regularly, and checking to ensure the passwords aren t dictionary words or being reused.
Attackers should have to get past multiple gatekeepers before they even get to the database, Josh Shaul, CTO of Application Security, told eWEEK. Organizations should be combining all the security layers that will help trap attackers, or at least slow them down enough by raising enough flags for the IT department to notice something is wrong, according to Shaul.
To read the original eWeek article, click here: Password Security Remains the Weakest Link Even After Big Data Breaches