Reading, 6 April 2020 – An unwelcome repercussion of employees snapping up laptops for home working ahead of the coronavirus lockdown has been an even bigger spike in cyber-criminal activity.
Continue readingA sobering bucket of cold water recently got dumped on our faith in passwords. You see, some unsuspecting celebrities recently had their cloud storage accounts hacked. Unsecure passwords were part of the reason for such a scandalous breach in security.
Authentication methods with technology like biometric scanners and smartcards are on the rise but user credentials like usernames and passwords still remain the easiest and most cost-efficient. The username is usually known and not particularly discreet while the password is secret. This level of secrecy is what makes a password secure or not. To improve IT planning, we look at some tips for better password use.
When storing a password in a database alongside the username, the password should not be directly readable in plain text. Authentication works by comparing the password supplied to the password already stored. If they match, access is granted. The Information Commissioner’s Office (ICO) suggests there are various ways of storing passwords in an illegible form with varying degrees of effectiveness i.e. encrypting, hashing and salting:
It seems traditional password conventions have reached their shelf life – partly due to computer power having escalated significantly and also misconceptions about passwords themselves. An exhaustive cycle of tests recently performed by Ars Technica, illustrated that with nominal computing power, hashed passwords containing less than six characters are cracked within a day – if not within minutes.
The problem isn’t that hashing doesn’t work, it’s the quality of the algorithm and also the quality of the password itself. The older MD5 and SHA1 algorithms, still widely used, were designed to hash passwords quickly with minimal computing power. Because they don’t use salting it makes it that much easier for an attacker to crack passwords hashed in this way. MD5 is no longer endorsed by the ICO and the National Institute of Standards and Technology (NIST) also no longer endorses SHA1 as a suitable password hashing function.
Simply put, the process of cracking hashed passwords using a dictionary attack involves using any combination of ninety-five characters (twenty-six lowercase letter, twenty-six uppercase letters, ten numbers and thirty-three symbols), hashing them, and then comparing the result to a dictionary of other hashed words. This differs from a standard brute-force attack where permutations of a possible password are systematically checked until the right one is found.
If a fast hashing method like MD5 is used, for example, a dictionary of one billion words can be searched through eight times per second, as reported by Wired.co.uk. If a match is found in the dictionary, the crack is successful. An attacker could crack a password of up to six digits in two minutes and thirty-two seconds (tested on a PC with a single Radeon 6970 GPU). This method is much faster than using a brute-force attack against longer passwords.
In 2012, a large scale breach was reported by LinkedIn where 6.5 million unsalted passwords were leaked. Although the passwords were hashed, real user data was revealed in the process. It resulted in the company having to reset the passwords and notify every affected user about the breach and for their passwords to be changed. Because of this gap in their IT planning regarding passwords, LinkedIn have since implemented additional security measures.
They say that a password is meant to fall into the hands of an attacker – that’s why it should be a secure one. Unfortunately no password is 100% secure but here are some tips that should help your IT planning with passwords:
If your organisation makes use of an IT infrastructure, one can assume there are some passwords zipping around the information highways. A password isn’t just a password – it’s the last line of defence against unauthorised access to top-secret, highly confidential, super private consumer data, budgets and even photographs. Sufficient IT planning will require complexity requirements and appropriate hashing techniques to be implemented.
Reading, 6 April 2020 – An unwelcome repercussion of employees snapping up laptops for home working ahead of the coronavirus lockdown has been an even bigger spike in cyber-criminal activity.
Continue readingJohannesburg, 17 December 2019 – Office 365 is a prime target for cyber criminals – and it’s not difficult to understand why when Microsoft announced this year that it has more than 180m active commercial users every month.
Continue readingJohannesburg, 24 October 2019 – Redstor, the company disrupting the world of data management, will demonstrate at the Gartner IT Symposium/Xpo™ in Barcelona how a pioneering technology developed in South Africa slashes the cost of Office 365 protection.
Continue reading