Security Experts:

Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Social Media Passwords Provide Easy Route into Corporate Networks

A combination of ‘security fatigue’ among users and inadequate password controls among the social media giants is providing a large attack vector for cybercriminals. This is the conclusion of a newly published survey that queried more than 250 security professionals at the RSA Conference in San Francisco in February 2017.

A combination of ‘security fatigue’ among users and inadequate password controls among the social media giants is providing a large attack vector for cybercriminals. This is the conclusion of a newly published survey that queried more than 250 security professionals at the RSA Conference in San Francisco in February 2017.

The survey (PDF), conducted by Thycotic, found that password hygiene is severely lacking even among security professionals. It found, for example, that 50% of security professionals have not changed their social network passwords for a year or more, and 20% have never changed them. When this is coupled with social networks not enforcing their own security options, the result is a weak underbelly for criminals to get into corporate networks.

“As we know,” said Joseph Carson, Chief Security Scientist at Thycotic, “social networks give away a lot of private information. For people to not consider changing their passwords on a regular basis on their Facebook, Twitter and LinkedIn accounts, they are easily allowing hackers to access information that will grant them access to other facets of their lives, like their work computers and email. Not only is this a huge vulnerability, but this is also a flaw within large social networks that don’t remind or make it clear and transparent to the user about the age or strength of the password or best practices.”

It is a combination of factors that creates the problem. Users still use weak passwords and reuse them across multiple accounts. Thirty percent of the security professional respondents have used or are still using birthdays, addresses, pet names or children’ names for their work passwords — and all of these are easily crackable. 

The problem is made worse by the increasing use of social media logons, where separate internet services allow users to log on with their Facebook, LinkedIn or Twitter password. “Social Logins creates a major security risk because it becomes the master key for all other accounts,” Carson told SecurityWeek. “The problem stems further because it is not a proper vault and is used for more than just social logins — such as for communication, email, browsing and online shopping — so it is easily targeted and exploited.”

One concerning implication from this survey is that user awareness training cannot solve the problem. The poor password practices of the respondents, said Carson, “is an indication that even security professionals continue to use weak passwords for social accounts and that cyber awareness training and cyber hygiene still has a lot of room for improvement. Much of this is a result of cyber fatigue and lack of built-in automation for social accounts.”

According to Verizon’s 2016 Data Breach Investigations Report, 63% of confirmed data breaches involved weak, default or stolen passwords. “The use of stolen, weak or default credentials in breaches is not new, is not bleeding edge, is not glamorous, but boy howdy it works,” the DBIR says.

Forrester Research puts the breach figure even higher, estimating in its ‘Forrester Wave: Privileged Identity Management, Q3 2016’ report that up to 80% of breaches involve the abuse of privileged accounts. Thycotic’s own research indicates that use of passwords as the primary authentication control is still growing, estimating that the 90 billion passwords currently in use will grow to 300 billion by 2020.

Carson does not believe that the solution can simply be awareness training and improved password practices. “There is no such thing as an uncrackable password,” Carson told SecurityWeek; “but you can make it very difficult with the computing power plus time to crack the password — which can deter the attacker from even trying to crack the password. In most cases, it is easier for the attacker to ask the user to tell them the password via phishing scams.”

But the big takeaway from Thycotic’s survey is that users — even those users who should know better — simply are not making it hard for the criminals. Coupled with the disinclination of social media giants to enforce strong access requirements, social media is providing an easy route into employees’ accounts; and from there into corporate privileged accounts. Users, suggests Thycotic, cannot be relied upon to protect their passwords, making technology-based privileged account management an absolute necessity.

Written By

Click to comment

Expert Insights

Related Content

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Identity & Access

Strata Identity has raised $26 million in a Series B funding round led by Telstra Ventures, with additional investment from Forgepoint Capital, Innovating Capital,...

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Application Security

Software maker Adobe on Tuesday released security patches for 29 documented vulnerabilities across multiple enterprise-facing products and warned that hackers could exploit these bugs...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Computer maker Lenovo has started pushing security patches to address three vulnerabilities impacting the UEFI firmware of more than 110 laptop models.

Application Security

Password management firm LastPass says the hackers behind an August data breach stole a massive stash of customer data, including password vault data that...