Data Masking as a Solution to Password Weaknesses
Password-based data protection is the most common form of data protection, but it is increasingly weak. If you think your data is secure because your organization insists on strong passwords, you are increasingly likely to be wrong. Better software tools running on powerful processors can try millions of character combinations in a short time. An article on the Datex website is entitled, “Strong or Weak, All Passwords Can Be Hacked,” and the text explains how.
But hacking passwords is not even the main weakness. Passwords can be stolen from authorized users, downloaded from servers that don’t use sufficient protection, guessed when account holders use common passwords and used repeatedly when different accounts have the same password. To achieve an acceptable level of data protection, you need additional data-centric security as a defense that prevents data breaches when password-based protection fails.
Weaknesses of the Passwords
A password only provides protection when it is kept secret, and that is becoming increasingly difficult. Ars Technica details how hackers were able to crack passwords like “qeadzcwrsfxv1331.” It takes some effort to crack a single password and the payoff for such hacking is indeterminate, but passwords have to be stored somewhere centrally to allow the servers to check for authorization. When someone wanting access to a system enters her username and password, the system has to check the credentials against a stored list. If hackers can obtain such lists, they not only are assured of a higher possible gain; the passwords are also easier to crack.
Lists of access credentials, including usernames, passwords, and other identifying information used to be stored as clear text. Recent data breaches indicate that some companies are still following this practice. Even if your lists of credentials are encrypted, once unauthorized parties get hold of them, they can usually decrypt a few of the more common passwords. Using clues from these successes, they can then decrypt many of the rest and gain access to wide variety of accounts. Failure of the password-based system automatically leads to a major data breach.
Weaknesses Caused by Users
The stronger the password, the harder it is to crack and the more difficult it is to remember. This dichotomy highlights the fact that many users will consistently choose insecure passwords that they can easily remember. Even people who possess high-value data, such as Facebook CEO Mark Zuckerberg, value convenience over security. According to Wired, Mr. Zuckerberg’s LinkedIn, Twitter and Pinterest accounts were recently hacked, and he used the password “dadada” on all three accounts. Using a simple password on multiple accounts is convenient but insecure.
The problem is not users who can’t follow instructions – it is users who can’t remember complex passwords. You can put in place policies to implement high-security passwords, rejecting simple choices automatically or assigning computer-generated character strings. Many of your employees and customers will not be able to remember them, and they will either write them down and keep them easily accessible, or they will generate a large volume of “lost” password calls to your IT support group. Even in the face of this user inconvenience and additional security overhead, hackers can still crack your complex passwords if they think it is worth their while.
Weaknesses of the Password System
The password system relies on authorization based on a user knowing his credentials, i.e. his username and password. If an unauthorized party knows authorized credentials, they can access your system, often from anywhere in the world.
For information that is needed often and by a wide variety of people, your IT department will have issued many credentials. Often employees and customers are authorized to access the system and technical support personnel, business consultants and cloud services supplier personnel may also have authorized access.
The system breaks down when a previously authorized user loses authorization, or an unauthorized person obtains authorized credentials. In that case, unauthorized access to data leading to a data breach becomes possible.
For example, one of your employees may lose his job, but his data access is not immediately terminated. A technical support person may watch while an employee logs in and note the credentials. An authorized person might give their credentials to a friend or other employee to help out. In each case, you have potentially lost control over part of your security perimeter that the password system is supposed to maintain. The person logging in is either unauthorized, or they are not who you think they are. To maintain effective data protection, you have to add protection of the data itself in addition to maintaining a secure perimeter.
Data Masking as a Solution to Password Weaknesses
Failure of your password-based system and secure perimeters does not have to lead to a data breach if the unauthorized persons accessing your system can’t read the data. Masking is a form of encryption that is flexible, secure and easy to implement. ITBusinessEdge describes the advantages. When your network or system security is compromised because of unauthorized access, your data is still safe because the intruders can’t read it. There is no data breach because no sensitive data is displayed.
Masking is a data-centric means of protecting sensitive information and it acts as the last line of defense when your other security fails. A convenient way to implement it is to add it to your system as a browser extension. The extension masks sensitive information as you enter the data and before it leaves your device. Only you have the key to give access to the data.
When you want to authorize someone to see the information, they will also have the browser extension installed. The software takes care of the transfer of keys, and your counterparty can read the data. For everyone else, the data remains encrypted.
When you implement Masking, your data remains secure even when password-based security fails. You no longer have to worry about hackers cracking your passwords, users choosing bad passwords or unauthorized persons obtaining credentials. Your data remains masked until it is used and nobody, not even your own IT personnel, can read it.
With CloudMask, only your authorized parties can decrypt and see your data. Not hackers with your valid password, Not Cloud Providers, Not Government Agencies, and Not even CloudMask can see your protected data. Twenty-six government cybersecurity agencies around the world back these claims.
Watch our video and demo at www.vimeo.com/cloudmask
