Why Are We So Stupid About Passwords?Sony's Experience Suggests Poor Attention To Detail
Despite the seemingly nonstop pace of data breaches, organizations worldwide still don't seem to be paying much attention to detail when it comes to the proper use of passwords.
See Also: Preparing for New Cybersecurity Reporting Requirements
The latest entrant into the password "hall of shame" is Sony Pictures Entertainment, as the ongoing leaks of purloined Sony data by Guardians of Peace - a.k.a. G.O.P. - continue to highlight. It wasn't just that Sony was - according to numerous reports - using weak, overly short passwords for many systems. Sony was also storing lists of passwords in text files, Word documents and Excel spreadsheets, Mashable reports. Furthermore, none of those files appears to have been password-protected or encrypted.
You don't store passwords in Word files or in Excel spreadsheets.
Security experts react with incredulity at Sony's alleged password missteps. "You don't store passwords in Word files or in Excel spreadsheets," Tom Chapman, director of the security operations group at computer security firm EdgeWave, tells me.
G.O.P. didn't have to look far to unearth sensitive passwords for Sony's internal network, social media accounts and Web services. Indeed, many of them appear to have been shared on file-servers in a folder labeled "Passwords."
Sony has not responded to my multiple requests for comment about the hack attack and its password security practices.
Did Sony Learn From LulzSec?
But leaving passwords gift-wrapped for anyone who's able to penetrate the corporate network suggests that Sony's executives haven't learned from their previous information security missteps.
In 2011, Anonymous offshoot LulzSec claimed to have compromised 1 million SonyPictures.com users' passwords, as well as "all admin details of Sony Pictures (including passwords)."
Over the course of that year, in fact, the company was pummeled by 21 separate attacks that resulted in breaches of Sony sites, including the theft of 77 million consumers' credit card numbers. The attacks began not long after Sony had laid off a portion of its security staff. Sony subsequently received the year's Pwnie Award - decided by a distinguished panel of information security experts - for "most epic fail," as well as a fine of £250,000 (about $400,000) from the U.K. Information Commissioner's Office, which said in a statement that "the security measures in place were simply not good enough."
Missing: Password Management
Three years after what should have been Sony's security wakeup call, G.O.P. struck via what many security experts suspect was a phishing attack. How well-prepared was Sony for such an attack? After reviewing a recent batch of leaked documents, Buzzfeed claims Sony wasn't even using a social media management system. That's essential for adding two-factor authentication to restrict multi-user access to corporate Twitter and Facebook accounts. Internally, meanwhile, the "Passwords" folder means Sony wasn't enforcing the use of easy-to-use password management software.
Security experts recommend everyone use password managers, which automate the process of generating strong, random passwords; corralling them in one place; storing them in encrypted format; and restricting access. "It is a good practice to use a password manager, and that is essentially keeping everything in a folder called 'passwords' with one major difference - it is properly encrypted so that even if the adversary had it in their possession, they cannot read it without proper credentials," says TK Keanini, CTO of network security firm Lancope.
"There were many major mistakes made at Sony, but the question everyone should ask is: Why does it take a major incident to find these mistakes? Why didn't anyone catch these incredibly obvious insecurities prior to the incident and fix them?" Keanini asks.
Every other organization should now ask itself what would happen if - like Sony - attackers penetrated its network. Would they find social media credentials and lists of admin passwords to tens of thousands of systems in an unprotected Excel spreadsheet?
The obvious takeaway is that enterprises need to get smart about not just requiring strong passwords, but encrypting and restricting access to those passwords, preferably using multi-factor authentication.
Even better, look to advanced authentication mechanisms that provide risk-based access controls. For example, consider products that work with the FIDO Alliance - for "fast identity online" - specification. FIDO offers a "bring what you've got" approach that can treat combinations of a user's mobile device, public/private key, one-time passwords, USB security tokens and more as access tokens, thus eliminating the need for passwords.
Until that happens, of course, organizations must pay close attention to password security, or else risk becoming the next Sony.