Chances are that someone reading this article uses either “qwerty123” or “12345678” as their passwords. We can make that prediction because they are two of the top 10 most common passwords of 2021. If you don’t understand why someone would choose qwerty as a password, look at the layout of your computer. For those of you that incorporate calendar years into your passwords, 2010 was the most popular year as it was found in nearly 10 million password versions this year. The year 1987 was used 8.5 million times and was the second most prevalent. The most prevalent sports team found passwords this year is the Suns (an NBA team).
While it may prove interesting to learn about the commonalities of passwords today, these yearly password findings demonstrate the lack of regard that users have for passwords in general. According to a 2019 Google /Harris Online Security Survey, 69 percent of users give themselves an A or B when it comes to protecting their online accounts. Yet, 52 percent reuse the same password for multiple accounts. However, it isn’t just users that experience a disconnect with passwords today. Password security is given the low priority amongst cyber insurance companies. According to a recent article, one of the 10 largest property and casualty insurers in the U.S. inquires about all aspects of a policy holder’s security policies and security controls never mentions the word ‘password.
Passwords are the Weak Links
The reason that the Suns basketball team is so commonly used within passwords today probably has nothing to do with popularity of the team itself. It’s the fact that its only four letters long. And that’s the very reason why poor or reused passwords are responsible for 80 percent of breaches today according to a recent study by Verizon Data Breach Investigations. For too many organizations, the password is the only security factor used to properly identify privileged users. If your company only requires a username and password to access privileged resources, then that’s all hackers require as well. That’s why cybersecurity researchers at ESET detected more than 55 billion new attempts at brute force attacks between May and August 2021. This was more than double the rate in the first four months of the year.
So Many Ways to Steal Your Password
An example of a brute force attack is a dictionary attack which throws commonly used passwords such as “qwerty” until the attacker scores a hit. While brute force attacks are in wide use today, there are many more ways to steal user passwords.
- Phishing Attacks are used to lure an unsuspecting user into clicking on an embedded link that takes them to a spoofed website where they must type in their credentials, which are then captured, collected, and forwarded to the attacker.
- Malware tools such as keyloggers and screen scrapers are used to capture keystrokes and screen captures to capture proper credentials.
- Credential Stuffing Attacks take advantage of the fact that so many people use the same password repeatedly across multiple accounts. Attackers use database lists of breached credential combinations and pump them at large websites such as banks, insurance companies, social media, etc.
- Spidering is a supplementary method used to help crack passwords in which attackers gather information from company websites and social media to gather clues as to what pieces of information a targeted user might incorporate into their passwords.
Password repositories are found on the dark web every year. Earlier this year, researchers found a database containing 26 million login credentials and more than 2 billion browser cookies. While cookies may seem innocent enough, cookies can save the login details of a particular user. Last year, hackers were able to breach the network of game conglomerate, Electronic Arts, by using a stolen cookie they purchased online for $10. The cookie gave them access to a Slack channel used by EA. After getting access to the Slack Channel, the attackers messaged Slack IT support and explained they had lost their phone at a party the night before. They then requested a multifactor authentication token which the support member granted them. From there it was off to the races.
What Makes a Good Password?
A commonly used 8-character password can be cracked within seconds while a complex one still only takes a matter of hours. Instead, they recommend a range of between 8 and 64 characters. The jury is still out as to what an ideal length is. Many cybersecurity experts recommend a 12-character minimum while endorsements of 14, 16 and even 20 characters are also recommended today. You should note that the Microsoft Security Baseline for Windows 11 requires a 14-character password. When it gets down to it, the longer the password the better. At the least, password policies should also enforce traditional complexity rules that require:
- a combination of upper- and lower-case letters
- numerical digits
- a special character such as a # or $
Password complexity should not stop here though. Other requirements should include the following:
- No common names or dictionary words
- No sequences of more than 4 digits in a row
- No sequential and repetitive character pattern such as “123456” or “qwerty”
- Restrict context specific passwords such as the name of the city a user resides, a company sports franchise or product name
- No using passwords obtained from previous breach corpuses
Of course, it is impossible for any IT admin to keep track of compromised passwords on the dark web. There are password services however that can check passwords in real-time against billions of exposed credentials that have been found harvested on the dark web. You can also create keyword filters that prevent employees in the Boston office incorporating the Patriots football team or how many users in New Orleans incorporate the Saints.
Above all, you should use a unique password for every account. While this may prove a tall order for most users, its highly doable with the help of a password manager. A secure password manager can generate, store, and manage all the passwords a user juggles every day. Rather than memorizing multiple passwords, they only need to put a master password to memory that gives them access to the password manager itself. The manager then matches each site with the correct password.
Even the most complicated passwords still require an additional authentication method. Every company should utilize multifactor authentication (MFA) to increase the security of their privileged logins. While the methodology of sending a confirmation text to one’s cell phone is highly utilized today, even that process can be compromised by attackers. Instead, cybersecurity experts are encouraging the use of authentication apps such as Microsoft Authenticator or Google Authenticator.
Risk Management Help
Nothing is simple today about cybersecurity. No longer can you rely on a defined security perimeter to protect your inner network and no longer can you rely on users to create an ample password that will protect their accounts, as well as your company. Don’t take passwords or any aspect of your cybersecurity strategy for granted.
We can help educate about practice security based on your company’s risk exposure and business drivers, including password policies. Don’t risk a breach because of a poorly structured password.
Let’s talk and review your risk exposure to help secure your credentials and all aspects of your IT estate.
HALOCK Breach Bulletins
Recent data breaches to understand common threats and attacks that may impact you – featuring description, indicators of compromise (IoC), containment, and prevention.