Cyber Liability: Managing Password Threats

Organizations trust passwords to protect valuable assets such as data, systems and networks. Passwords are versatile—they authenticate users of operating systems (OS) and applications such as email, labour recording and remote access, and they guard sensitive information like compressed files, cryptographic keys and encrypted hard drives.

Because passwords protect such valuable data, they are often a prime target of hackers and thieves. Although no method of password protection is 100 per cent effective, it is still important to understand and mitigate threats to password security so you can protect your company and its assets.

Types of Password Threats

Implementing security measures starts with anticipating security threats. There are four main ways that attackers attempt to obtain passwords: capturing passwords, guessing or cracking passwords, replacing passwords and using compromised passwords.

1.     Password Capturing

An attacker can capture a password through password storage, password transmission or user knowledge and behaviour. OS and application passwords are stored on network hosts (a computer connected to a network) and used for identification. If the stored passwords are not secured properly, attackers with physical access to a network host may be able to gain access to the passwords. Never store passwords without additional controls to protect them. Security controls include:

• Encrypting files that contain passwords
• Restricting access to files that contain passwords using OS access control features
• Storing one-way cryptographic hashes for passwords instead of storing the passwords themselves

Hashes are the end result of putting data, like passwords, through an algorithm that changes the form of the original information into something different. For example, the password ‘default’ could be mapped as an integer such as 15. Only the network host knows that 15 stands for the password ‘default’. Read more >>