3B Data Security's Digital Forensic Incident Response (DFIR) team have investigated hundreds of data breaches, and the majority of cases share one thing in common, the initial attack vector was a compromise of user credentials.

Passwords are often the weakest link to any organisation with users employing weak passwords, reusing passwords across multiple applications, using the password across both personal and professional applications.

Some of our recent investigations found and cracked the following passwords, in use for individuals with full administrative level privileges; 1234, ped, golf, carrott, sgt, jim, dickhead, mikey, andy, bowlerhat1, bing123, Ispwich1.

By removing password authentication all together could dramatically reduce the risks associated with passwords and their security.  Implementing technology that allows users to access applications without the need to type in passwords removes all those risks of brute-forcing weak passwords, compromised passwords from other environments such as social media, and users forgetting complex passwords.  Technologies such as biometric authentication, single-sign-on (SSO) and federated identity streamline the user experience for employees within an organization, while still maintaining a high level of security and complete control for IT and security teams.

For anyone operating an environment where cardholder data is stored, processed, or transacted, then PCI DSS (the minimum security standards to protect card data) requires that any password must be of a minimum complexity of seven (7) characters containing both numeric and alphabetic characters (requirement 8.2.3).  Some of the above poor password examples meet the PCI DSS requirement.  However, all non-console and remote administrative level access is to be secured with multi-factor authentication (requirement 8.3).  Finally, all passwords should be rotated (changed) at least every ninety (90) days (requirement 8.2.4).

If the simple PCI DSS password requirements had been employed, many of the data breaches seen by the 3B DFIR team may not have happened, or the impact may have been reduced.

 If you would like any advice or guidance achieving a high level of security for your environment or assistance meeting industry security standards please contact 3B Data Security.