Paul Roberts posted an interesting story on Threatpost about the limitations of conventional password security.
Roberts writes, “Researchers at Microsoft and Harvard University warn that popular passwords pose a bigger risk to online security than weak ones and suggest that many tools to enforce strong passwords actually steer users to choices that are easy to guess. Forcing users to choose passwords that are rare and ‘unpopular,’ rather than ‘strong,’ as it has traditionally been defined, provides a better defense against one type of attack, known as ‘statistical guessing’…”
It’s an interesting concept, and one that brings to mind another serious vulnerability present in many organizations: the privileged logins that grant access to servers, databases, line-of-business applications, and other datacenter assets too often share common, broadly reused passwords known to far too many individuals.
Even worse, these powerful logins are often entered into a spreadsheet on a common share that large numbers of employees can access – all for the sake of convenience over security. And, since many IT departments never change these privileged accounts, employees that left the organization years ago still know the password secrets that grant full administrator access.
Like the Threatpost article suggests, you can make significant improvements to your security posture by looking at the big picture.