Would you believe if I told you that you 81% of data breaches worldwide are caused by hacked passwords? This statistic provided by Verizon Data Breach Investigations emphasizes the extreme importance of implementing strong passwords at every entry point to try and deter hackers from infiltrating your systems.
In my company’s work providing automatic pen-testing for enterprises around the globe, we see that for most data breaches the human factor was the weakest security link - specifically weak passwords that can be easily cracked by attackers. Many weak passwords - and this is true all over the world - are based on simplistic words, which are very easy for hackers to crack and use to gain entry to your private data. Incredibly, in 2018, passwords are still the most commonly used authentication method and “Password1” is still the most common password. While this password meets most organizational password policy (at least 8 characters, mix of upper/lower case and a number), it can easily be cracked in mere seconds.
Our machine-based penetration testing software shows that a significant percentage of passwords are easily crackable by attackers, because taking over a credential is one of, if not the easiest, access point for an attacker. Credential sniffing is a common attack technique, especially considering that the same credentials can later be used for relay attacks and further password cracking to obtain deeper access into an organization. In fact, about 20% of passwords are trivial (can be cracked by software in seconds) and an additional 50% of passwords can be cracked using strong GPUs in just a few hours.
At Pcysys, we use algorithmic-based Pen-Testing software, which gives organizations a clear view of an attacker’s perspective. We do so by mimicking the hacker’s mind to try and find the easiest way to (ethically) break into an organization and find the weakest link to get a foothold in the enterprise. The system then performs lateral movements and privilege escalation the same way an attacker would, with the goal of helping the organization to understand their weak cyber points and determine how to apply prioritized cost-effective remediation to increase the organization’s overall cyber resilience.
In many cases, a customer sees in the Pcysys report that one of the top three vulnerabilities identified is related to the organization’s weak passwords. Many of our customers realize that an immediate and critical remediation option is to enforce and educate employees to use stronger passwords. They also see how important it is to put more security measures in place around user authentication with focus on “Privileged Users”.
Here are 5 suggestions that both corporations and individuals should implement to ensure their password security:
#1 Don't use common dictionary words - Ex: Password1, Football01. This includes using simple digit-to-letter substitution - Ex. Pa$$word1, F00tball01 - as those are easily cracked by dictionary attack tools.
#2 Don't use sequential letters or numbers in your password. Ex: 123456, abcdef (A password like Ab123456 is practically a 3 character password).
#3 Don't use your name or username as part of the password and/or other personal data that can be easily obtained via social networks (i.e. kids’ and pets’ names)
#4 Do use a higher number of characters with a mix of upper/lower case letters, numbers and special characters - password length is key for a strong password. Consider using passphrases that have a higher number of characters, yet are easier to remember, also add special characters to the mix. Ex: ILikeMarsBars!!
#5 Do try to keep the password unpredictable: A number/special character in the middle of the password, words with typos, etc. Ex: ILike4FourNumbers!, Ihave2Twokidz.
- Education, education, education! Educate your users, with a focus on privileged users, on the impact of using weak passwords and how easy it is to crack them.
- Consider using multi-factor authentication (MFA) with a focus on privileged users and strengthened authentication processes based on the risk or type of operation.
- Consider changing the organization’s policy to enforce a password change every 90 days. Educate your users and enforce the use of longer and stronger passwords. Forcing employees to implement frequent password changes drives them to use easy to crack and predictable password patterns, such as changing “Password1” to “Password2”.
The ability for hackers to crack passwords have come a long way in the last couple of years. Easy access to computing power and large scale GPUs have completely changed the landscape in a hacker’s ability to crack passwords and gain easy entry into an organization. You can have the best cyber defences, but if your keys are trivial to crack it will be an easy entry point for attackers into the organization.
By following these tips you’ll keep the “candy” of easy access into your organization better protected.