We might already be aware that WikiLeaks has now made it possible to search through all of the documents that were leaked in the Sony Pictures hack last year by creating a searchable online archive of 30,287 documents and 173,132 emails. Security expert Graham Cluley quickly picked up on the poor password practices that many employees were engaged in, highlighting that over 1,100 of the 30,287 Sony Pictures documents in the WikiLeaks haul contain the word “password” in an article here. Graham has also pointed to further evidence of malpractice such as the use of very easy-to-guess admin passwords for systems on Sony’s servers, passwords of “password” and passwords which were identical to the username.
Geoff Webb, VP, solution strategy at NetIQ Commented on poor password practice
“These new revelations about the Sony Pictures breach again demonstrates that a single point of authentication – a password – is a poor choice for security teams looking to secure and govern their networks and data.
“For a long time now it’s been clear to most people that passwords are not fit for purpose in these types of use cases.Passwords are continuously recycled and misused by users, and disclosures like this show the extent to which passwords and password policies are often poorly thought out and implemented. Companies seem determined to rely on end users – the least-trained and least security-savvy individuals – to secure their data, and clearly this strategy is failing. Businesses need to stop putting the responsibility on the end user by allowing them to use inadequate passwords. The password as a single point of authentication remains a de-facto security control, but ultimately it’s a poor choice for achieving security for critical data and resources.
“Instead, the advent of smartphones has opened the door to the much more widespread use of multi-factor authentication methods whilst removing the need for expensive specialised hardware tokens. These developments will accelerate the adoption of advanced multi-factor authentication as a replacement for the password, making it more difficult for accounts to be breached.”
By Geoff Webb, VP, solution strategy at NetIQ