We might already be aware that WikiLeaks has now made it possible to search through all of the documents that were leaked in the Sony Pictures hack last year by creating a searchable online archive of 30,287 documents and 173,132 emails. Security expert Graham Cluley quickly picked up on the poor password practices that many employees were engaged in, highlighting that over 1,100 of the 30,287 Sony Pictures documents in the WikiLeaks haul contain the word “password” in an article here. Graham has also pointed to further evidence of malpractice such as the use of very easy-to-guess admin passwords for systems on Sony’s servers, passwords of “password” and passwords which were identical to the username.
Geoff Webb, VP, solution strategy at NetIQ Commented on poor password practice
“These new revelations about the Sony Pictures breach again demonstrates that a single point of authentication – a password – is a poor choice for security teams looking to secure and govern their networks and data.
“For a long time now it’s been clear to most people that passwords are not fit for purpose in these types of use cases.Passwords are continuously recycled and misused by users, and disclosures like this show the extent to which passwords and password policies are often poorly thought out and implemented. Companies seem determined to rely on end users – the least-trained and least security-savvy individuals – to secure their data, and clearly this strategy is failing. Businesses need to stop putting the responsibility on the end user by allowing them to use inadequate passwords. The password as a single point of authentication remains a de-facto security control, but ultimately it’s a poor choice for achieving security for critical data and resources.
“Instead, the advent of smartphones has opened the door to the much more widespread use of multi-factor authentication methods whilst removing the need for expensive specialised hardware tokens. These developments will accelerate the adoption of advanced multi-factor authentication as a replacement for the password, making it more difficult for accounts to be breached.”
By Geoff Webb, VP, solution strategy at NetIQ
BIO : Geoff Webb has over 20 years of experience in the tech industry and is the Director of Solution Strategy at NetIQ. He is responsible for the NetIQ Information Security, Identity and Access and IT Operations Management solutions.Webb joins NetIQ from Credant Technologies, where he led marketing around their data protection and encryption management solutions. Previously, Webb also served as a senior manager of Product Marketing at NetIQ, and held other management positions at FutureSoft, SurfControl and JSB.Webb often provides commentary on security and compliance trends, and has written on a number of related topics for such journals and websites as: USA Today, CIO Update, Healthcare IT News, The Tech Herald, Compliance Authority, Virtual Strategy Magazine, TechBlind, Internetnews.com, e-Finance & Payments, Law & Policy, Dark Reading, BankInfoSecurity.com, Payment News, Wired and InfoSecurity.com, among others. He holds a combined bachelor of science degree in computer science and prehistoric archaeology from the University of Liverpool.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.