Table of Contents
We know. Using a unique, complex password for every single account you have is tough to manage. A 2019 study by Google and Harris Poll found that keeping track of passwords is a source of frustration for most users. However, as frustrating as it is, with over 80% of hacking-related breaches being linked to passwords, it is crucial to secure our accounts.
By default, your IT team may provide you with a generic password to get you set up with the intention that you'll change it as soon as you log in. However, many users skip this important security step and neglect to create a new one with strong complexity or leave it the way it is.
A GitHub page for OWASP’s SecLists project lists the top 1000 passwords across the globe. Hit Ctrl-F and see if you can find your password. TIP - If it's there, consider changing it ASAP.
Other common passwords are based on the user's name, birthdays, pets, spouses or children. Again, if your passwords contain any personal information, it may be easy to guess. Oftentimes if you are being targeted, hackers can find a lot of personal information on social networks or even by using social engineering to find the piece of information that they need. Those scam calls asking for something that seems irrelevant may seem innocent, may be trying to find your security question answer or other personal information to guess your password.
Some of Packetlabs wall of shame passwords for this year are:
But I use 2fa/Mfa - Isn't that enough?
Using 2-factor authentication (2fa) or multi-factor authentication(Mfa) is a great strategy to add an extra layer of protection to your accounts - but it is not enough. Here is an example of MFA being breached.
DEV-0537 used two main approaches to fulfill MFA requirements - session token replay and employing stolen passwords to trigger simple-approval MFA requests, hoping that the genuine user of the breached account would eventually consent to the questions and give the required approval. Besides using social engineering tricks to con the staff of target firms, researchers claim DEV-0537 bribed employees (insider attack) into parting with MFA or 2FA credentials to breach the security perimeter.
Read more on whether 2fa is enough
What if I have a strong password but use it across multiple accounts?
Password reuse is still a very common practice. Even if you think you have a strong password, it only takes one breach for your password to be compromised. The first thing a hacker will do is run your username and password across as many accounts as possible to see if it works. So if you have reused a password, all the accounts with that same username and password could be compromised. By using unique passwords for each account, you protect yourself from having multiple accounts hacked at once.
So, what's the solution?
The solution involves three main aspects.
Choose strong, unique passwords for each account
Enable Multi-factor authentication whenever possible
Use a password manager
What does a strong password look like?
The key aspects of a strong password are length, a mix of characters, no ties to your personal information and no dictionary words. You want your password to be 12 or more characters with a mix of uppercase and lowercase letters, numbers and symbols. Bonus if it's randomly generated and does not contain any dictionary words (especially personally identifiable ones!)
Using a password manager is one of the best ways to secure your accounts. A password manager will generate, store and autofill strong passwords for each account, so you don't have to remember all of them. This eliminates the need for users to be creative with their passwords or risk using weak ones
In conclusion, understanding the importance of strong passwords and changing them in the case of a breach is a critical step in keeping your accounts secure. Consider using a password manager to help with the process of making and managing multiple secure passwords across all of your accounts. Avoiding password reuse and enabling MFA where possible will also help ensure your accounts stay secure.
Interested in a company-wide password audit?
Packetlabs offers a comprehensive AD password audit, which includes a complete review of all company passwords. This review includes:
Overall risk level
Top-used base words
Comparison of passwords against breach databases
Contact us today to learn more about Packetlabs AD Password Audit.