Microsoft Warns that Billions of Passwords are Compromised
While a highly connected state fosters collaboration on an immense scale, it’s also a security nightmare. If a hacker gains access into a company’s network, they can potentially gain access to those company’s networks connected to it. That is referred to as a supply chain attack. Today, just about everyone has information somewhere on the internet, and many people use the same password to get access to this information. If an attacker obtains your credentials in an attack, they can potentially use those same credentials to access all of your information. Last week, Microsoft issued a stern warning that billions of passwords are compromised. Their Detection and Response Team (DART) reported that they have witnessed a dramatic increase in the number of “password spray” attacks this year. A spray attack is different than a traditional brute force attack in which an attacker perpetually tries to crack your password. There are two types of spray attacks:
- The first is to reuse your stolen credentials. Once they know your credentials for a shopping site, they then try that same password for your banks, social media account, etc.
- The other way is to utilize many bots at once to brute force many accounts simultaneously using only a small number of popular passwords. As an example, they may attempt to use a list of ten passwords for 10,000 user accounts.
The increase of these password spray attacks may be contributing to the record number of data breaches reported in 2021. In a congressional hearing in early October, the Identity Theft Resource Center reported that the number of breaches thus far in 2021 (1,291) has already eclipsed the total number of breaches reported in all of 2020 (1,108).
|IDENTIFY INDICATORS OF COMPROMISE (IOC)|
- A growing number of endpoint security solutions now alert you when a utilized password is found listed on the dark web. Newer versions of the Chrome browser offer this service as well. There are also dedicated password tools and websites on the market today that will compare your username and passwords against large databases of compromised credentials.
- Many cloud services such as Office 365 offer security analytics to alert you about excessive logon attempts, or attempts made from new geographic locations.
|CONTAINMENT (If IOCs are identified)|
While it is recommended that users change their passwords regularly, it is essential to do so immediately once a compromised password has been reported. This means changing your password for every online account that compromised password has been used for.
Once an organization has identified that a user account has been compromised, that account should be temporarily disabled. Their assigned computers should be scanned for malware and if possible, reset to a known good image. Personnel should also be trained to be aware of phishing attacks.
Users should never use just one password for everything. At the least, use multiple passwords amongst your accounts. Ideally, use a unique password for every account.
While the 8-character password has been a mainstay for a decade or more, security specialists are now recommending that it be lengthened. For instance, Microsoft’s latest Security Baseline Policy for Windows 11 enforces a 14-character password. Some experts are even recommending up to 16-character password. Whatever the length, they should have complexity mandates that incorporate both upper and lower-case letters, numbers, and alphanumeric characters.
Users that don’t want to juggle multiple elongated passwords should consider a password manager that stores all passwords in an encrypted vault, requiring them to only know one password to access the vault.
Password protection is a practice that is no longer secure today. Companies should implement multifactor authentication (MFA) solutions that require users to provide a second form of verification.
Prepare for cyber threats through an Incident Response Readiness program