Password Breach, Password Leaks
The advice given to organizations is to salt and hash passwords, but the process of salting and hashing only slows an attacker down, Ullrich said. Dedicated password crackers only cost a few thousand dollars, he said. For now user education and better protection of databases that contain passwords is the only answer. Until an alternative to the pass phrase emerge, the problem will persist. Two-factor authentication is expensive and used by only a small percentage of security-minded organizations, Ullrich said. Some experts are looking to the smartphone as an authenticator, but token stealing malware, as evidenced by the Zitmo/Eurograbber Android Trojan, defeats SMS-based tokens and will likely continue to be a target of attacks.