Damage Inflicted from One Weak Password

Sue Marquette Poremba
Slide Show

Tips for Creating a Strong Password

Correct risky password behavior and reduce your chances of being hacked.

If you need a reason to question your company's password policy, I recommend you take a look at what is happening in Utah right now.


You probably heard about the breach of hundreds of thousands of Medicare and Children Health Insurance Plan records - a number that seems to be increasing with every article I've read.


This story is worrisome on so many levels, but especially so as the rise of child identity theft has been in the headlines recently. All identity theft is bad, obviously, but when a child's identity is stolen, it is usually not detected for years - until the child is an older teenager or an adult trying to get a job or get a credit card or even enroll in college. By then, the damage is significant.


In addition to personal information like birth dates and names, at least 250,000 Social Security numbers were reported as stolen or compromised.


And how did this breach happen? Allegedly due to a weak password - or as the folks at the Utah Department of Health have claimed, a configuration error in an authentication layer. As Computerworld pointed out:

Many security analysts see that as a somewhat euphemistic admission by the state that the breached server was using a default administrative password or an easily guessable one. By taking advantage of the error, the attackers were able to bypass the perimeter-, network- and application-level security controls that IT administrators had put in place to protect the data on the server.

I've talked about the importance of strong passwords many times, and that one of the worst offenders of the easy-to-guess password issue is not changing the default password as soon as possible - it is indefensible at this point.


Now, there are thousands of people in the state of Utah who have to worry about whether or not their lives are going to be turned upside down. And the Salt Lake Tribune is warning of the inevitable con artists waiting to feed on the woes of others by pretending to represent official agencies looking to "help" the victims when the goal is to just steal even more data. And as Harry Sverdlove, CTO of Bit9 - a victim of a breach himself - told me, even the legitimate agency calls are hard to detect as legitimate.


Officials in Utah now have to rebuild the trust of a citizenry that was likely already wary of the way government handles things.


All this damage from one employee's weak password. If that isn't a reason to reassess your company password policy, I don't know what is.

Add Comment      Leave a comment on this blog post
Apr 17, 2012 4:04 AM dan dan  says:

As you mentioned one of the biggest problem in security is the password. You could protect your website or system with the best firewalls but at the end there always is a password there....

I think that we should refresh our passwords methodology and maybe we should start using solutions like LoginWall (www.loginwall.com) or other passwords method but not the most trivial passwords...

May 3, 2012 3:19 AM password management software password management software  says:

I found a shock notice here while make a look over the issues of a company's password policies, in these concepts many possibilities of questions are arise while making the process of a strong password. As these are biggest problems therefore most of the companies are now liable to change their password policies in rapid manner.

May 12, 2012 9:37 AM Jim Johnson Jim Johnson  says:

It's very concerning that this kind of things happen, especially in a public institution. My opinion is that these kind of institutions should have the most efficient password management regardless of any cost.


Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.