Blog

Are You Guilty of These Password Sins? Your Guide to Password Security

We know. Using a unique, complex password for every single account you have is tough to manage. A 2019 study by Google and Harris Poll found that keeping track of passwords is a source of frustration for most users. However, as frustrating as it is, with over 80% of hacking-related breaches being linked to passwords, it is crucial to secure our accounts.

By default, your IT team may provide you with a generic password to get you set up with the intention that you'll change it as soon as you log in. However, many users skip this important security step and neglect to create a new one with strong complexity or leave it the way it is.

Common passwords

GitHub page for OWASP’s SecLists project lists the top 1000 passwords across the globe. Hit Ctrl-F and see if you can find your password. TIP - If it's there, consider changing it ASAP.

Other common passwords are based on the user's name, birthdays, pets, spouses or children. Again, if your passwords contain any personal information, it may be easy to guess. Oftentimes if you are being targeted, hackers can find a lot of personal information on social networks or even by using social engineering to find the piece of information that they need. Those scam calls asking for something that seems irrelevant may seem innocent, may be trying to find your security question answer or other personal information to guess your password.

Some of Packetlabs wall of shame passwords for this year are:

  • Welcome1

  • P@ssw0rd

  • Spring2023

  • Summer2023

  • Fall2023

  • Winter2023

But I use 2fa/Mfa - Isn't that enough?

Using 2-factor authentication (2fa) or multi-factor authentication(Mfa) is a great strategy to add an extra layer of protection to your accounts - but it is not enough. Here is an example of MFA being breached.

Example

DEV-0537 used two main approaches to fulfill MFA requirements - session token replay and employing stolen passwords to trigger simple-approval MFA requests, hoping that the genuine user of the breached account would eventually consent to the questions and give the required approval. Besides using social engineering tricks to con the staff of target firms, researchers claim DEV-0537 bribed employees (insider attack) into parting with MFA or 2FA credentials to breach the security perimeter.

What if I have a strong password but use it across multiple accounts?

Password reuse is still a very common practice. Even if you think you have a strong password, it only takes one breach for your password to be compromised. The first thing a hacker will do is run your username and password across as many accounts as possible to see if it works. So if you have reused a password, all the accounts with that same username and password could be compromised. By using unique passwords for each account, you protect yourself from having multiple accounts hacked at once.

So, what's the solution?

The solution involves three main aspects.

  • Choose strong, unique passwords for each account

  • Enable Multi-factor authentication whenever possible

  • Use a password manager

What does a strong password look like?

The key aspects of a strong password are length, a mix of characters, no ties to your personal information and no dictionary words. You want your password to be 12 or more characters with a mix of uppercase and lowercase letters, numbers and symbols. Bonus if it's randomly generated and does not contain any dictionary words (especially personally identifiable ones!)

Password managers

Using a password manager is one of the best ways to secure your accounts. A password manager will generate, store and autofill strong passwords for each account, so you don't have to remember all of them. This eliminates the need for users to be creative with their passwords or risk using weak ones

Conclusion

In conclusion, understanding the importance of strong passwords and changing them in the case of a breach is a critical step in keeping your accounts secure. Consider using a password manager to help with the process of making and managing multiple secure passwords across all of your accounts. Avoiding password reuse and enabling MFA where possible will also help ensure your accounts stay secure.

Interested in a company-wide password audit?

Packetlabs offers a comprehensive AD password audit, which includes a complete review of all company passwords. This review includes:

  • Overall risk level

  • Top-used passwords

  • Top-used base words

  • Character sets

  • Password length

  • Comparison of passwords against breach databases

  • Tailored recommendations

  • And more!

Contact us today to learn more about Packetlabs AD Password Audit.

Featured Posts

See All

October 24 - Blog

Packetlabs at SecTor 2024

Packetlabs is thrilled to have been a part of SecTor 2024. Learn more about our top takeaway's from this year's Black Hat event.

September 27 - Blog

What is InfoStealer Malware and How Does It Work?

InfoStealer malware plays a key role in many cyber attacks, enabling extortion and lateral movement via stolen credentials. Learn the fundamentals about InfoStealers in this article.

September 26 - Blog

Blackwood APT Uses AiTM Attacks to Target Software Updates

Blackwood APT uses AiTM attacks that are set to target software updates. Is your organization prepared? Learn more in today's blog.