Weak Passwords Offer Easy Access to Enterprise Networks
Poor password practices continue to put businesses at risk, with nearly 90% of passwords used in successful attacks consisting of 12 characters or less, indicating additional security measures are required to protect access to sensitive data.
These were among the results of a Specops Software report analyzing more than 800 million breached passwords.
The report revealed the most common base terms used were: ‘password,’ ‘admin,’ ‘welcome’ and ‘p@ssw0rd.’ Passwords containing only lowercase letters were the most common character combination found, making up a little under a fifth of those used in attacks.
Reuse and Recycle—Just Not Your Password
Darren James, senior product manager at Specops Software, said the most surprising finding from the report is that 83% of compromised passwords satisfied the length and complexity requirements of regulatory standards such as NIST, PCI, ICO for GDPR, HITRUST for HIPAA and Cyber Essentials for NCSC. The problem lies with reuse, especially if those passwords were already compromised in another breach.
“People are picking short, easy-to-remember passwords and reusing these across personal and professional services,” he explained. “Some of these regulatory bodies are now recommending, and sometimes requiring, that compliance is dependent on blocking the use of known compromised passwords.”
He said this is what is needed to get at the root of the problem since requiring a minimum of eight characters and some complexity isn’t preventing these attacks.
“One of the biggest areas that stick out to me when I read this report is the increasing occurrence of password reuse and how it exposes organizations to serious breaches,” said JT Keating, senior vice president of strategic initiatives at Zimperium. “Simply put, when users repeat passwords for both corporate and personal logins, the organization is at risk.”
Attackers understand this, which is why they are increasingly using mobile phishing campaigns via SMS, messenger apps and even fake QR codes to harvest passwords.
Keating said in addition to traditional anti-phishing detection in corporate email systems, organizations need to warn and protect users against rampant mobile phishing attacks too.
“It’s important to hammer home that the most basic cybersecurity best practices can prevent a large amount of these mobile phishing attacks from successfully spreading across an enterprise,” he said.
Layered Protection
Requiring unique passwords and changing them often is critical, as is the use of multifactor authentication (MFA), which is an extra layer of protection that can harden defenses in an organization.
“Oftentimes, the only line of defense against mobile phishing is the person receiving it, so employee education on identifying these types of attacks and instituting an awareness of what not to do throughout the organization can go far in protecting sensitive networks,” Keating added.
Darren Guccione, CEO and co-founder at Keeper Security, added that it is always shocking to see how many companies still have lax password policies for their employees, despite the number of high-profile breaches seen each year and the known financial and reputational harm that can happen as a result.
A Keeper report last year found nearly a third of the U.S. companies surveyed left it to their employees to set their own passwords without guidance.
“The lax mindset surrounding password use must change,” Guccione said. “The first step is to provide a password manager for employees that can create and store strong and unique passwords for each and every account.”
The era of work-from-home and distributed workforces has further complicated the security landscape, as more remote workers equate to more endpoints that can be attacked.
“Individual password security becomes an even greater risk to corporate password security when employees are using remote access or accessing professional accounts on personal devices,” Guccione said.
Joseph Carson, chief security scientist and advisory CISO at Delinea, pointed out the growth in mobility and the cloud greatly increases the complexity of securing identities.
“Therefore, organizations still attempt to try and secure them with the existing security technologies they already have,” he said. “This results in many security gaps and limitations.”
He added that some organizations even fall short by trying to checkbox security identities with simple password managers.
“However, this still means relying on business users to make good security decisions,” he noted.
Carson said when faced with tough choices versus simply getting the job done, employees will always take the path of least resistance and, unfortunately, that means risking security.
“Employees need to understand the risks of the actions they take,” he explained. “Ensuring employees at all levels are given adequate training can be a major step forward in helping decrease the success rate of an attack. By normalizing training within the workplace culture, organizations can help maintain attentiveness for the long term.”
Specops Software’s James said the reason for such basic password problems is that the password burden is too great for most people to manage in a secure way.
“People have so many passwords to remember these days; they resort to easy-to-remember passwords or password reuse,” he said. “I don’t blame employees for poor password habits since they are optimizing their productivity by making it easier to log in.”
From his perspective, it should be the responsibility of enterprises to put enforcement tools in place that prevent people from choosing weak and compromised passwords in the first place.
“This helps reduce the burden by rewarding the use of longer, stronger passwords by letting the user keep them for longer,” he added.
