The 2023 Weak Password Report once again highlighted how the breach of a password or user credential is one of the weakest links in enterprise security. When coupled with inconsistent patching, misconfigurations, and lack of vulnerability scanning, bad password practices are an easy path for malicious hackers.
In the report, researchers analyzed more than 800 million breached passwords worldwide to find the key trends, common denominators, and lessons learned.
- 88% of passwords used in successful attacks consisted of 12 characters or less.
- The most commonly breached passwords consisted of 8 characters.
- Passwords containing only lowercase letters were the most common character combination found, making up 18.82% of passwords used in attacks.
- The most common base terms used in passwords were: ‘password’, ‘admin’, ‘welcome’, and ‘p@ssw0rd’.
- 83% of compromised passwords did not satisfy the length and complexity requirements of compliance or cybersecurity standards such as NIST, PCI, ICO for GDPR, HITRUST for HIPAA, and Cyber Essentials for NCSC.
Brute Force Attacks Remain Effective
A brute force attack is where an attacker tests different character combinations until they find the correct login information. These began with guesswork on the part of the hacker. Although still done that way using dates of birth and child names as clues, the modern approach is to computer-generate huge numbers of potential passwords until the right one is found. Another common tactic is to take passwords available on the dark web and test them on other websites used by that individual to see if they can gain access to additional accounts. This has a decent degree of success due to people reusing the same passwords or word/number combinations.
Unfortunately, even in large, sophisticated IT organizations, weak password hygiene is commonplace. The 2022 Nvidia breach, for example, unveiled thousands of employee passwords. They included the likes of ‘Nvidia’, ‘qwerty’ and ‘nvidia3d’ among them. The reality is that most individuals see passwords as a barrier to getting their work done or getting the information or systems they need. They aren’t going to choose technically complex passwords because it makes their lives more difficult.
Weak Password Examples That Many Think Are Strong
These weak password examples may incorporate a combination of letters, numbers, and special characters, as well as personal information. However, they are still weak because they can be easily guessed or targeted through common password-cracking techniques. It’s crucial to create unique and complex passwords that are not related to personal information or easily identifiable patterns.
Best Practices for Passwords
This is why organizations need to adopt security best practices that can enforce strong password security, such as:
- Issue a clear policy on password hygiene, including the minimum number of characters and the use of upper case, lower case, numbers, and symbols.
- Determine an acceptable period for password changes and enforce it. Most organizations choose 90 days, but standards vary on this subject, so you should check with the most relevant compliance requirements for your industry.
- Use Security Awareness Training to educate users regularly on password best practices.
Vulnerability Scanning Provides an Extra Layer of Protection
As is the case with most areas of cybersecurity, one system or methodology is never enough. A multi-layered approach is required. Password protection policies, technologies, and best practices must be supported by vulnerability scanning to ensure all devices and systems on the network are scanned regularly for potential vulnerabilities on endpoints that could be easily exploited with compromised credentials. Syxsense can help detect key signs of a potential attack by alerting IT and security operations teams to events or risks such as:
- Multiple failed login attempts
- Misconfigured or open ports
- Outdated antivirus signatures
- Disabled firewalls
- Unpatched systems
- Compliance violations
Syxsense vulnerability scans detect any weak spots on your endpoints that can put your enterprise and data at risk of getting stolen or altered. We mitigate risk by putting IT back in control of every device used in your organization. By highlighting potential issues, your organization can reduce its attack surface and minimize the chances of a breach.
The vulnerability scanner built into Syxsense Secure and Syxsense Enterprise is effortless to employ and has a user-friendly interface. Its automation features enable IT to focus on priority tasks while it scans and secures systems and data.
For more information, join us for a Lunch and Learn demo.