According to the 2012 Global Security Report by Trustwave, ‘Password1’ has become the most common password used in business.
Password1 is so common because it satisfies the Microsoft Active Directory setting, meaning it has a capital letter, a number, and the right amount of characters to meet the requirements for basic password security. This isn’t good news in the progressively hostile web environment.
Some other findings in regards to the hacking incidents Trustwave has investigated include:
• Customer records remained a valuable target for attackers, making up 89 percent of breached data investigated.
• For the second year, the food and beverage industry made up the highest percentage of investigations at nearly 44 percent.
• Industries with franchise models are the new cyber targets: more than a third of 2011 investigations occurred in a franchise business.
• In 76 percent of incident response investigations, a third party responsible for system support, development and/or maintenance of business environments introduced the security deficiencies.
• Law enforcement detected more breaches in 2011—up from 7 percent in 2010 to 33 percent in 2011.
• Data harvesting techniques continued to target data “intransit” within victim environments showing up in 62.5 percent of 2011 investigations.
• Anti-virus detected less than 12 percent of the targeted malware samples collected during 2011 investigations.
• For Web-based attacks, SQL injection remains the number one attack method for the fourth year in a row.
Trustwave goes on to say that business employees are “finding creative ways to override” corporate IT policies on passwords. Examples are setting usernames as passwords, adding numerically predictable changes to passwords, ie – 1234, or merely capitalizing the first letter of a password, and then adding an exclamation point to the end. Another problem relates to IT policies requiring passwords to be changed frequently, with greater complexity, and also in the necessity of multiple passwords. Employees tend to write down passwords and leave them in places where they can be seen, mainly sitting on the computer they are set to protect.
Trustwave also warns against keylogger software used by hackers and social engineering techniques employed to get users to inadvertantly give up their passwords.