NEWS Hackers are increasingly resorting to social engineering techniques to obtain confidential passwords as businesses become better at locking down and patching their computer networks.
And the bad news is that users are still very much the weak link when it comes to choosing and protecting their passwords, according to the results of a survey of IT security experts.
It found that 15 per cent of those asked in an online questionnaire to give their network passwords in order to be entered into a prize draw happily clicked through to the page ready to divulge the information.
Paul Vlissidis, head of risk services at technology consultancy NCC Group, which carried out the survey, told silicon.com that the problem of staff – and especially those in IT who should know better – being lazy with passwords is leaving companies at risk.
"The issue is that it is laziness and ignorance causing network security problems. Passwords are of greater importance now that remote access has increased from laptops and PCs with broadband at home," he said.
He said that social engineering techniques used by hackers to glean passwords that will give them access to corporate networks are on the increase as IT departments get better at protecting their systems.
"It is increasing as people wake up to other kinds of network vulnerabilities such as patching systems and as they narrow down areas of attack hackers are going to run out of places to exploit and so will go for passwords."
Common bad practice includes shared passwords for departments and obvious popular passwords such as football clubs – and Vlissidis said those in the boardroom are often the main culprits.
The main advice for users is to avoid using dictionary words for passwords that can be cracked by programs and to use a mixture of numbers and letters. One method is to choose a favourite song or poem and take the first letter from each line of the first verse along with a couple of numbers. When it comes round to change the password, just move on to the next verse.
"As long as you know what that song is you will never forget the password," said Vlissidis.
Comments
There are 11 comments. Join the discussion
1. Pete Jones
Surely the 15% are the clever ones (assuming they gave false passwords) - the other 85% couldn't even make up a word in order to be entered into the prize draw...
2. anonymous
I once audited a company and found that 54% of the password encryptions were the same: I had a guess at what it might be and got it right first time ;¬}
3. anonymous
Using a favourite song...brilliant. Now in order to crack someone's password you just have to listen to the tune they've been humming since they logged on this morning.
4. Nohj Edo
It is evident in my experiences that 95% of people are vulnerable to social engineering. Because "socialneering" (my word but you can use it) can occur through email, in person, over the phone or through the mail, it is both highly effective and a big problem. This is because most people when given the option choose the same password for all services they subscribe to. Also because people in general are highly trusting. Which means that if I was to offer a (fake)service which requires a password. They will give me one that is most likely used for several services. Which is the major problem.
5. Apiaryist
It only takes 1 person to comprise a network. It's surprising what kind of access many executives are given, and how little respect they have for it. Until you devise a way to make 100% of your employees security conscious, this will remain an issue. I honestly don't know why this is news, as this has always been a problem.
6. anonymous
Once I wanted to prove a friend of mine how insecure hotmail was, and how stupid he was. Changa Password, it asked me for his dog name (LOL)... So I called a friend of his, and started to talk with him, so I asked if taht guy really had a dog, and asked the name. My friend was stupid enought to use his dog's name as the answer... Guess what? passwd changed.
7. anonymous
How prevalent is the use of password protected ftp (password in plain text)? My univerity still use this as the only route to central file storage from non-university machines. The universities' machine are much more heavily secured, but there is no way to get files securely from outside, where the real risks are. also the maximum password is 8 chars - which restricts the number of options seriously, especially if you change it often
8. Bob Massey
My favourite tip for passwords works for most blokes, and that's the registration number of their first car. It's a blokey thing but in my experience it's something most blokes remember, and of course it's usually 7 characters and its alphameric.
However my new laptop, a Samsung X10 goes one better, it has a fingerprint recognition pad built in.
9. Ian Savell
Lets face it, most people who use computers are incapable of remembering dozens of different 8 character non-dictionary alphanumeric passwords that change at least every 28 days. Until IT managers recognise that and take other steps to secure their systems there will always be a risk.
Security is sacrificed for convenience - the convenience of accessing anything from anywhere.
If it needs to be secure, use biometrics or multi-layer techniques, otherwise just remind people its not secure and let them use their dog's name.
10. anonymous
Hi, One of your e-mail contributers discribed their selves as being into student technology explotation.I wondered if this meant ( nohj edo )he / she was a willing participant in trespass ,thievery and peeping tomism? If someone came into their domain and stole and peeped and trespassed would they be happy?Or is this another big competition from the the land of the free?
11. anonymous
Use a cognometric alternative to a password - no memorization! Its fun and easy for everyone. Go to www.realuser.com and try the demo. Never worry about forgetting your passwords again. Its a new way!