The Art of Intrusion: What is a password worth?
May 5, 2011 | Michael Millstein
What is a password worth? A lot…and here’s why you shouldn’t become too attached to just one.
When you think of passwords, what do you think of?
You probably think of your AOL account, gmail, computer log-on, bank account (either online log-on or pin number), online store account…the list goes on. Do you use the same password for every account you have? Chances are you have the same password for nearly every account you have—wait, except with your work account because they make you change your account password every 60 days or so. But, you definitely use a variation of your original password every 60 days, so it’s close enough.
Now, imagine you’re an IT system administrator at Joe’s bank, the largest bank in the nation. Along with the passwords you use on a daily basis for your personal accounts, you also have hundreds of passwords for your Service Accounts, Windows local admin accounts, Root accounts, network devices, etc. What would happen if you used the same practices for work accounts that you do at home? A skilled hacker comes along, figures out your password, and gets the keys to your entire kingdom! And here the stakes are much higher—instead of hacking just one individual’s bank account he could log into your infrastructure and get payroll, social security numbers, credit card numbers, bank account information…everything.
Passwords are among the most valuable information in the world.
The notion that passwords are sacred comes from the book “The Art of Intrusion” by Kevin Mitnick, one of the most famed hackers of all time. The book highlights some of the most memorable hacking attempts in history, some which were successful. One of the stories told could have cost Boeing millions in losses or reputation: two teenagers thought it would be cool to hack for fun. They hacked into Boeing as well as government websites, a credit union, and the DMV among others. They simply used common usernames and passwords. Once they were in they gathered any information they wanted, and browsed wherever they wanted to browse. These young men were just hacking for fun, there was no malice behind their acts but they encountered very sensitive information.
We make our users change their passwords every 60 days or so, but what about all of the privileged accounts mentioned above? Typically, IT pros store their passwords in an encrypted Excel file, use generic/default passwords, and do not change these passwords regularly. Why don’t we enforce the same user-level policies on privileged account passwords? These passwords literally hold the keys to the kingdom yet they are not adequately protected by IT pros. If the passwords are the same across multiple devices and accounts, a hacker can view all the sensitive information on your network without breaking a sweat.
Some companies believe that their strong external firewalls can keep out intruders.
Well think again. Once a hacker gets through that firewall he’ll head straight to your servers, databases and the other accounts containing sensitive information. Without strong internal password policies, or software to help manage passwords and rotate them to keep hackers guessing, your infrastructure is vulnerable. You may be just one hack away from learning a tough lesson. I learned at a recent military event that some of the system administrators for the military and their contractors use Microsoft Access—an unencrypted file—to store privileged account passwords. In addition to not being able to track who has which password, I could have logged on to their system, or hopped onto an unguarded computer, and viewed every sensitive password on the network. This can cause hours, even days in downtime, and millions in expenses. Plus, it can compromise sensitive information that could be devastating to the company concerned, or even the country. “Let’s wake up people. Changing default settings and using strong passwords might stop your business from being victimized” (Mitnick, 88). Don’t be the next victim. Take action and use the same password policies savvy IT administrators place on their end users.