Passwords are fundamentally insecure and represent the biggest security threat facing organisations, says Jason...
Hart, senior vice-president for Europe at security firm Cryptocard.
Hart, a former ethical hacker, is able to demonstrate how easily available software can be used by hackers to capture every username and password of any user on a network.
Hackers are able to view the username and password victims type in to access e-mail systems, business systems and cloud services, even those using a secure internet protocol (https) or encryption.
It is impossible to protect anything that connects with the internet through any means against this kind of attack at the protocol level, he said.
Hart also showed how Google search can be used to find the administrator's password for the database of a cloud-based service or back-ups that contain usernames and passwords.
Another common way of stealing usernames and passwords is to install invisible keyloggers on victim's computers.
"Because the hacker activity is invisible and may never be discovered, many people believe passwords are secure," said Hart.
Invisible keyloogers are in effect zero-day attacks that will by-pass most security software to steal user names and passwords, no matter how long or complex, he said.
"Complex passwords may take longer to guess, but offer no defence against keyloggers and other capturing tools," he said.
There are step-by-step guides available on YouTube on how to do this through legitimate-looking e-mails, said Hart.
Hackers can also use various simple social engineering techniques to target victims by posing as a member of a company's IT security team.
In this scenario, hackers send e-mails to new employees directing them to legitimate-looking web pages, where they are asked to type in and confirm their username and password.
"A simple search on Twitter is a very easy way to identify potential victims, with millions of people talking about new jobs with big-name organisations," said Hart.
Once a hacker has a valid username and password, they are able to access business IT systems undetected and then elevate user privileges to access sensitive information, he said.
Despite the threat, less than 5% of organisations around the world have adopted two-factor authentication methods, which can be rolled out easily for less than £2 a month, said Hart.
The threat will become even greater, he said, as more organisations start using cloud-based computing services that continue to rely entirely on passwords for protection.
Using passwords can result in a degree of complacency, according to William Beer, director of information security in the risk assurance practice at PricewaterhouseCoopers.
"There are ways around passwords and encryption, so they are by no means a silver bullet," he told Computer Weekly.
Organisations also typically confuse password protection with encryption, but if something is password protected, it does not necessarily mean it is encrypted, he said.