Читать книгу The Official (ISC)2 SSCP CBK Reference - Mike Wills - Страница 130

Almost every month, the news media publish a story about another data breach in which usernames and passwords were accessed, corrupted, or copied by the attackers. The damages suffered by individual users in such incidents can be both traumatic and financially crippling; the damage to the targeted business can be enough to put it out of business, and in extreme cases, its directors can suffer time in jail.

Passwords are by far the most commonly used authentication mechanism and perhaps the one most prone to self-inflicted vulnerabilities when users:

 Choose trivial or easily cracked passwords.

 Forget their passwords.

 Fail to keep them safe and secure.

 Share them with others (whether those others are trusted systems users or not).

 Reuse the same password on multiple systems, websites, and accounts.

 Reuse the same password, or a simple transform of it, when asked by the system to change it.

 Leave passwords set to the default values set by the vendor or manufacturer.

 Store passwords on paper or in unprotected files kept on the systems or websites that they use.

In many cases, the use of password policies that require the use of special characters, numbers, and mixed case have contributed to these vulnerabilities, as many users find it difficult to create strong passwords in 12 to 16 characters or less that comply with such requirements. Requirements for frequent password changes also add to user frustration, which leads to some of the poor password security hygiene habits described in the previous list.

At some point, the chosen length of a password causes the user to shift into thinking of it as a passphrase instead.