Corporate cybersecurity shouldn’t be an elusive challenge when it comes to passwords. The mantra of using strong and unique passwords is arguably the fundamental lesson that has been promoted within organizations for decades. However, despite efforts by security professionals to raise awareness of the importance of good password cleanliness, the vast majority of users struggle to keep up. Thus, bad password hygiene is a real challenge for organizations that are combating a large number of cyber threats, such as credential stuffing and brute force attacks.
The latest report for 2023 entitled Global Weak Password Reportwho checks over 800 million passwords compromised, It more clearly shows how bad the password security situation is among organizations. If we consider it more than 15 billion stolen credentials made available onlineThe fake password can be reused in the course of multiple attacks.
No, “password” is still not a strong password
The report found that users did not create long passwords. So, 88% of hacked passwords were 12 characters or less. Obviously, short passwords are used a lot, but keep that in mind 41% of Americans rely solely on memory to remember passwordsIt is easy to understand why complex words are not considered.
After further digging, it was found that 24% of hacked passwords are 8 characters longwhile 18% consisted of lowercase letters only. An analysis of the key terms most used by users for passwords showed that “password”, “admin”, “hello” and “ [email protected] were the most common.
Given the warnings and advice that the industry regularly issues, it is deeply concerning that in 2023 users are still protecting their accounts, as well as access to potentially sensitive information, with simple, weak passwords. The report’s findings clearly show that cybersecurity best practices are not being followed. Not only does it highlight the lack of controls in place to protect companies from weak and compromised passwords, but it also highlights the importance of ending password reuse.
Do we need stricter regulations?
According to Verizon’s data theft report, 82% of the violations are related to the human element, such as social engineering attacks, bugs, and abuse. Should stricter rules be adopted to ensure password security meets security best practices? Not sure about that. In fact, 83% of concessions were deemed to comply with the length and complexity of industry regulations and cybersecurity standards recommended by NIST, PCI, ICO for GDPR, HITRUST for HIPAA, and Cyber Essentials for NCSC or CNIL in France. In short: even when password best practices are implemented, they are not necessarily a reliable defense against cyberattacks in their current state.
Brute force attacks in the real world
When a password ends up in the snooping list, it is highly threatened by brute force and password spray attacks. Brute-force attacks are the most common password-related cyber threats and occur when hackers use a trial-and-error method, generating a large amount of password guesses, until a good one is found. The attack considers all possible permutations of the chosen characters and constructs passwords whose length varies between minimum and maximum. Through the generated character sets, the tool produces the hash of each password and compares it with the password hash obtained from the computer. If there is a match, the password from the brute force swap matches the password used by the computer user.
The report also highlighted the fact that cybercriminals often use the password “homelesspa” in their attacks, a word taken from the MySpace data leak in 2016. This clearly proves that despite the age of the hack, hackers always reuse “old” passwords From previous hacks in brute force attacks.
Nvidia: Big Data Leak
It may be mistakenly thought that people who use weak passwords may not be aware of cyber security. However, if we examine the breaches in the news, we see that this is not quite the case. When the American multinational technology company Nvidia was attacked in 2022 by the cybercriminal group LAPSUS, thousands of passwords were leaked. Given the nature of the company, a global software and technology manufacturer, one could assume that the passwords used by Nvidia employees were strong. Unfortunately, they were easy to guess, as “nvidia”, “qwerty” and “nvidia3d” were some of the most common passwords. When considering a password type, users should understand that passwords, passphrases, or work-related terms are some of the first things hackers will try to use in their attacks and should be avoided at all costs.
Simple recommendations for creating additional defense systems
Organizations will continue to rely on passwords as a means of defense. Because password reuse and other bad practices are common, organizations must ensure that other defenses are in place to effectively protect access to corporate information. Here are three key implementation steps to help organizations:
First, protect Active Directory (AD) in the Windows domain, which provides control over access to most companies. AD is the central security and management system that stores authenticated user and computer accounts and allows them to prove their identity to access resources.
Second, organizations need to understand that the default password policy settings for AD are not enough. It is therefore necessary to deploy third-party password security software as an additional layer of defense for AD accounts.
Finally, a solution capable of identifying and preventing the use of cracked or hacked passwords should be sought in real time. This should reduce the risk of it being used in a future attack.
In conclusion, it must be accepted that employee password cleanliness will never be perfect. However, there is an urgent need for companies and their IT department to take charge of the problem and implement system-supported processes that ensure higher security standards.
Tribune is written by Noé Mantel, product specialist at Specops Software
<< اقرأ أيضًا: الأمن السيبراني ، ما هي الممارسات الجيدة للحماية من السرقة والتزوير؟ >>>
