We know. Using a unique, complex password for every single account you have is tough to manage. A 2019 study by Google and Harris Poll found that keeping track of passwords is a source of frustration for most users. However, as frustrating as it is, with over 80% of hacking-related breaches being linked to passwords, it is crucial to secure our accounts.
By default, your IT team may provide you with a generic password to get you set up with the intention that you'll change it as soon as you log in. However, many users skip this important security step and neglect to create a new one with strong complexity or leave it the way it is.
A GitHub page for OWASP’s SecLists project lists the top 1000 passwords across the globe. Hit Ctrl-F and see if you can find your password. TIP - If it's there, consider changing it ASAP.
Other common passwords are based on the user's name, birthdays, pets, spouses or children. Again, if your passwords contain any personal information, it may be easy to guess. Oftentimes if you are being targeted, hackers can find a lot of personal information on social networks or even by using social engineering to find the piece of information that they need. Those scam calls asking for something that seems irrelevant may seem innocent, may be trying to find your security question answer or other personal information to guess your password.
Some of Packetlabs wall of shame passwords for this year are:
Welcome1
P@ssw0rd
Spring2023
Summer2023
Fall2023
Winter2023
Using 2-factor authentication (2fa) or multi-factor authentication(Mfa) is a great strategy to add an extra layer of protection to your accounts - but it is not enough. Here is an example of MFA being breached.
DEV-0537 used two main approaches to fulfill MFA requirements - session token replay and employing stolen passwords to trigger simple-approval MFA requests, hoping that the genuine user of the breached account would eventually consent to the questions and give the required approval. Besides using social engineering tricks to con the staff of target firms, researchers claim DEV-0537 bribed employees (insider attack) into parting with MFA or 2FA credentials to breach the security perimeter.
Read more on whether 2fa is enough
Password reuse is still a very common practice. Even if you think you have a strong password, it only takes one breach for your password to be compromised. The first thing a hacker will do is run your username and password across as many accounts as possible to see if it works. So if you have reused a password, all the accounts with that same username and password could be compromised. By using unique passwords for each account, you protect yourself from having multiple accounts hacked at once.
The solution involves three main aspects.
Choose strong, unique passwords for each account
Enable Multi-factor authentication whenever possible
Use a password manager
The key aspects of a strong password are length, a mix of characters, no ties to your personal information and no dictionary words. You want your password to be 12 or more characters with a mix of uppercase and lowercase letters, numbers and symbols. Bonus if it's randomly generated and does not contain any dictionary words (especially personally identifiable ones!)
Using a password manager is one of the best ways to secure your accounts. A password manager will generate, store and autofill strong passwords for each account, so you don't have to remember all of them. This eliminates the need for users to be creative with their passwords or risk using weak ones
In conclusion, understanding the importance of strong passwords and changing them in the case of a breach is a critical step in keeping your accounts secure. Consider using a password manager to help with the process of making and managing multiple secure passwords across all of your accounts. Avoiding password reuse and enabling MFA where possible will also help ensure your accounts stay secure.
Packetlabs offers a comprehensive AD password audit, which includes a complete review of all company passwords. This review includes:
Overall risk level
Top-used passwords
Top-used base words
Character sets
Password length
Comparison of passwords against breach databases
Tailored recommendations
And more!
Contact us today to learn more about Packetlabs AD Password Audit.
October 24 - Blog
Packetlabs is thrilled to have been a part of SecTor 2024. Learn more about our top takeaway's from this year's Black Hat event.
September 27 - Blog
InfoStealer malware plays a key role in many cyber attacks, enabling extortion and lateral movement via stolen credentials. Learn the fundamentals about InfoStealers in this article.
September 26 - Blog
Blackwood APT uses AiTM attacks that are set to target software updates. Is your organization prepared? Learn more in today's blog.
© 2024 Packetlabs. All rights reserved.