301.519.9237 exdirector@nesaus.org

4.11.23 -SIW – 

Cybersecurity shouldn’t be a complicated matter when it comes to passwords. The mantra of using unique and strong passwords is quite possibly the most basic cybersecurity teaching and has been touted for many decades. However, despite the best efforts by security professionals to spread awareness of the importance of good password hygiene, the vast majority of users are struggling to keep up. Poor password hygiene presents a serious issue for modern businesses which are battling against a plethora of cyber threats, including the increase of credential stuffing and brute force attacks.

Painting a clearer image of how bad the password security situation is for organizations is research showcased in the Specops 2023 Global Weak Password Report, which examined more than 800 million breached passwords (a subset of a larger 3 billion unique compromised password database). When you consider over 15 billion stolen credentials have been made available on the Internet, a breached password has longevity for hackers who can reuse them across multiple attacks.

‘Password’ is Not a Strong Password

The report revealed that users were not creating long passwords. In fact, 88% of breached passwords were found to be 12 characters or less. It’s clear that short passwords are being used in abundance, however, when you factor in that 41% of Americans put their faith in their own memory to remember passwords, it’s easy to see why.

Digging deeper, it was found that 24% of breached passwords were eight characters long, while 18% were made up of only lower-case letters. When analyzing the most used base terms for passwords by users, “password,” “admin,” “welcome” and “p@ssw0rd” were the most common.

With the warnings and advice consistently given by the industry, it is deeply worrying that, in 2023, users are still protecting their accounts, as well as access to potentially sensitive information, using basic and weak passwords. The report’s findings are clear evidence that cybersecurity best practices are not being followed. Not only does it highlight the lack of controls in place to protect companies from weak and compromised passwords, but it also shines a light on the importance of stopping password reuse.

Do We Need Stricter Regulations?

Yes, users relying on poor passwords isn’t an old trick and the story of humans being the weak link in an organization’s security is constantly repeated by security teams. According to Verizon’s Data Breach report, 82% of breaches involved the Human Element, including social engineering attacks, errors and misuse. So, should stricter regulations be brought in to ensure password security is meeting security best practices? Well, 83% of compromises were found to meet both the length and complexity of industry regulations and cybersecurity standards such as NIST, PCI, ICO for GDPR, HITRUST for HIPAA, and Cyber Essentials for NCSC. The results outlined here should be actioned upon as it proves that even when password best practices are followed, they are not a reliable defense against cyberattacks in their current state.

Real-World Brute Force Attacks

When a password ends up on a breached list it is highly suspectable to brute force and password spraying attacks. Brute force attacks are the most common password-related cyberthreat and occur when threat actors use a trial-and-error method, generating a large number of password guesses, until the right one is found. The attack takes all possible permutations of the chosen characters and develops passwords that range from the minimum to maximum password length. With the character combinations generated, the tool produces the hash from each password and compares it to the password hash obtained from the computer. If there is a match, the password from the brute-force permutation is the password used by the user of the computer.

An example was revealed in the 2023 weak password report where threat researchers uncovered cybercriminals using the password term “homelessspa” in their attacks which was a password taken from the 2016 MySpace data leak. This is clear evidence that despite the age of the breach, hackers will still reuse “old,” breached password terms in brute force attacks.

Nvidia Data Breach

There may be a misconception that individuals who leverage weak passwords are likely uneducated about cybersecurity. However, when examining breaches in the news, this is not the case. When Nvidia, an American multinational technology company, was attacked and breached in 2022 by the cybercriminal group LAPSUS, thousands of passwords were leaked. Given the nature of the business, being a global software and technology manufacturer, one could assume that the passwords used by Nvidia employees would be strong. Unfortunately, they were easy to guess with “Nvidia,” “qwerty” and “nvidia3d” amongst the most commonly used. When thinking of the type of password, users must understand passwords, passphrases or terms related to the company are some of the first hackers will try to use in their attacks and should be avoided at all costs.

Security to Make Better Decisions

The reliance on passwords by organizations as a layer of defense will continue. With password reuse and other poor password practices common, organizations need to ensure that other defenses are in place to effectively protect access to corporate information. Here are three key enforcement steps to help organizations:

First, protect Active Directory (AD) in a Windows domain, which provides access control to most enterprises. AD is the centralized security and management system that stores authenticated user and computer accounts, and it also provides a method for them to prove their identity to access resources.

Second, organizations must understand that the default password policy settings in AD are not adequate. As a result, deploying third-party password security software as an additional defense layer for AD accounts is crucial.

Last but not least, seek out a solution that can identify and block the use of breached or compromised passwords in real-time. This should minimize the risk of them being used in an attack in the future.

Darren James is the Senior Product Manager at Specops Software, an Outpost24 company.
Darren James is the Senior Product Manager at Specops Software, an Outpost24 company.

About the author: Darren James is the Senior Product Manager at Specops Software, an Outpost24 company. Darren is a seasoned cybersecurity professional with more than 20 years of experience in the IT industry. He has worked as a consultant across various organizations and sectors, including central and local governments, retail and energy. His areas of specialization include identity and access management, Active Directory, and Azure AD. Darren has been with Specops Software for more than 12 years and brings his expertise to the support and development of world-class password security and authentication solutions.