Even in the wake of warnings and increased awareness about passwords being weak, the problem continues. This was evident in a recent data breach that exposed the Social Security numbers of over 280,000 people in Utah. The breach of a Utah Medicaid network server was hacked via a default administrative password. This allowed the cyber thieves to bypass the perimeter, network, and application level security controls that were built into the health agency's systems.
With such mistakes fairly easy to avoid, it continues to surprise experts that these aren't the first thing taken care of when attempting to secure a computer network. But many examples exist. The U.S. Department of Energy said after a security audit at the Bonneville Power Administration, the agency identified 11 servers that were configured with easily guessable passwords. Having usb and flash drive encryption will help a great deal.
Four of the power administration servers allowed remote users to access and modify shared files. Another server hosted an administrator account was only protected with a default password. The agency reported and urged stronger password protection, especially within national security critical infratstructure such as power plants.
The recent Global Payments data breach that exposed about 1.5 million credit card account holder's information was likely accessed via weak authentication mechanisms. And it is also believed that Chinese hackers got into the U.S. Chamber of Commerce's website via weak password protection.
Gartner analyst John Pescatore said the Anonymous hacking collective takes advantage of the very human tendency to use the same password for multiple accounts. "A lot of Anonymous' recent success has been in attacks where they have obtained users' passwords to external services and then found the same passwords in use at sensitive internal applications or in email systems," Pescatore said. That is "the curse of the reusable password," he added.
"The truth is, anyone trying to protect nontrivial assets should be using multifactor authentication and/or complementary controls to protect themselves," said Peter Lindstrom, an analyst with Spire Security. "The password has too many weaknesses, including the obvious human ones. At this stage of the IT game," he added, "there is really no excuse for using default passwords."