With increasing numbers of even complex passwords compromised, organisations are alerted to the fact they need to do more to keep sensitive password information safe. Find out about ‘credential stuffing’, how stolen passwords are used and how to guard against the vulnerability and reuse of passwords.
Are you doing enough to stay secure?
When standard password rules alone are not enough to protect from being compromised, are you doing enough to ensure your passwords and those used by your team are secure enough to keep your data and systems safe?
Strong password rules alone are not enough
Most of us know the rule – we hope – of making passwords long and complex. This is to ensure they remain safe and unable to be cracked by cybercriminals. However, now this is no longer strictly the case since the passwords can be stolen via a hack, meaning, whether complex or not, they are in the hands of criminals using sophisticated methods of running them against millions of accounts and emails to gain access.
Unfortunately, when 800 million known stolen passwords were analysed around 83% of them were found to meet the complexity rules, but complex or not – once they’re stolen, they’re able to be used by cybercriminals.
Stolen passwords for sale on dark web
Stolen passwords are big business on the dark web where they are swapped for substantial sums in cybercriminal circles, and they don’t just originate from the leaked data of small operators.
Although this example is from a few years ago, it’s notable – the major security breach experienced by the trusted name, Dropbox, when 68 million of their users’ email addresses and passwords were exposed on the internet. Many of the passwords were encrypted as per best practice in password security.
Microsoft emails and passwords leaked
Most recently, Microsoft addresses took a major security hit when 38 terabytes of its private data became exposed, including keys, secrets and passwords, as well as internal Teams messages. The repository is now inaccessible, and Microsoft resolved the issue quickly, but the incident highlights how easily, even the most ‘safely configured’ passwords can quickly become up for grabs.
Criminals cash in on password reuse
The easy attack, cybercriminals are known to use is termed ‘credential stuffing’ and its success relies on the fact that people tend to reuse passwords. Once passwords are stolen, cybercriminals then use them to test against millions of other usernames and accounts.
What is credential stuffing?
Credential stuffing is the term used to describe how hackers take your password and use it against many different accounts to see if it works. And, due to the fact many people reuse passwords, credential stuffing works very effectively for the hacker.
Hackers use tools to simply text the password against many accounts. They don’t need to ‘crack’ or reconfigure the password, they use it as it is within their automation technology to find a fit, and a way into accounts.
Staying safe from credential stuffing
- The single most important rule is, do NOT reuse passwords. Passwords should be unique to each account, as well as long and complex.
- Switch on two-factor authentication for all accounts it’s possible to set it up for if you haven’t switched it on already.
- Utilise a web application firewall (WAF) to detect suspicious logins and traffic.
- Limit authentication requests so that accounts are frozen after, for example, three or five login attempts.
- Regularly check that your credentials are not on the dark web and get real-time alerts should your passwords be compromised.
- Run scans to check your systems and protection are up to date and run password vulnerability checks.
We’ve got your back
Cybersecurity isn’t an add-on at Cultrix, it’s the basis on which we approach every single service and element of our IT support.
If you need help with password protocols and management, firewalls and credential checks, or you fear you’ve been the subject of a hacking attack and are concerned about your business operation, get in touch today.
< Read more articles on our IT Academy
Beware, cybercriminals infiltrate trusted software
Increasingly, hackers and cybercriminals use trusted tech brand names and software that users already have faith and trust in, in which to hide malicious means of attack.
The MOVEit ransomware attack of 2023
You don’t have to look far in the news to find evidence of the latest cybersecurity breach. 2023 is a year of mounting ransomware attacks.