Wed, Feb 10, 2016
The list of the most common and therefore, worst passwords of 2015 has been published and demonstrates that our approach to password management has not improved. Once again, the top password is ‘123456’ and the second most common is ‘password’.
There are many problems with passwords, all of which add up to insecure online accounts. It is estimated that we have as many as 118 online accounts and trying to manage so many accounts induces poor password hygiene. The main problems with passwords are:
Why does it matter?
Access to your online accounts can essentially provide access to your life, for example your financial information, corporate data, personal information, and the ability to send, receive and intercept your communications. This can be used for theft, spear-phishing, as a route to your contacts and even blackmail.
Kroll has investigated many cases where poor password management was the root cause of the problem. For example, we were engaged by a hedge fund which had suffered the theft of its unique algorithm. This algorithm formed the basis of the fund’s trading methodology and yet was protected by a weak password. The password was cracked and the code was leaked causing the client significant financial loss during the five years it took to rectify the problem.
In another case, a Private Wealth Bank contacted Kroll after it had identified bogus money transfer instructions from an external wealth manager of one of its clients. By the time the bank realised it had been subject to a fraud it had transferred in excess of $1 million.
Kroll identified that the wealth manager’s email account had been compromised and email filters had been set to hide all messages from the bank and his client’s email thus allowing the fraudster to send the bogus instructions undetected. The fraudster had mimicked the language and instructions from the client’s earlier emails saved in the account. His password was his daughter’s forename which was readily identifiable through his public social media accounts.
What can you do?
Incident response, digital forensics, breach notification, managed detection services, penetration testing, cyber assessments and advisory.