Passwords are the weakest part of any cybersecurity strategy. According to Microsoft’s Digital Defense Report, cybercriminals make almost 1,000 attempts to hack account passwords every second.
As encryption and zero-trust security measures become more common and more powerful, the ability for cybercriminals to hack into a system is becoming increasingly challenging. As security improves, gaining access through compromised or stolen login credentials has become the main point of entry for hackers.
Here are some alarming statistics about password safety from CNET, Security Link, Scientific American, Verizon, and Microsoft:
- 81% of company data breaches are caused by poor password management
- 80% of all hacking incidents occur because of stolen login information
- 555 million stolen passwords are for sale on the dark web
- Password attacks increased by 74%, making it the primary method through which accounts are compromised.
- An average person in the US has 75 online accounts.
- 51% of all passwords are reused, and nearly 20% of passwords are already compromised, so one stolen password could lead to dozens of hacked accounts.
How are passwords stolen?
There are many ways criminals can steal login information from unsuspecting individuals. Knowing how to spot a potential hazard and what to do if you suspect an attack is essential.
Here are a few of the most widely used ways of gaining login information used by hackers and how to stay safe:
Phishing
It is estimated that over 70% of all cybercrimes begin with a phishing or spear phishing attack. Phishing is a social engineering attack that essentially attempts to trick the unsuspecting individual into supplying their login credentials to what they think is a legitimate site or trusted person.
How it works: Typically, phishing starts with an email formatted to look like it is coming from a legitimate source. The email will ask the person to click on a link to a fake website asking the user to enter their login information. The hacker then saves this username and password to gain entry or sell on the dark web.
How to stay safe: Most phishing emails are written by a person who is not a native English speaker, which means they will contain misspellings, typos, and/or strange wording. If they do, this is a dead giveaway that it is not a legitimate email.
Always check the sender’s email address to make sure the address matches who the email says it is from. For example, if an email claims to be from Microsoft, the sender’s email address will be @microsoft.com.
Ignore emails that use a strong call to action. Such as “emergency” or “click here now,” these are meant to scare you into clicking on a dangerous link. Use caution when clicking a link in any email, and always go to the vendor’s website directly to login.
Credential Stuffing
This attack attempts to take advantage of people reusing passwords for multiple websites.
How it works: It can start with a successful phishing attack or a breach of another site with poor security where a user’s password is stolen. The login credentials are then used to attempt to log in to other websites. 52% of people use the same password for multiple (not all) accounts, and 13% use the same password for every account. An estimated 51% of all passwords are used more than once. Because of the common reuse of passwords across many different sites, credential stuffing is often successful. Hackers have developed tools that quickly automate testing stolen credentials across many sites.
How to stay safe: Use a unique password for every site. Using a different password for every website will help reduce the damage caused if any of those sites are compromised. Consider using a password manager to keep these passwords safe and avoid needing to remember unique passwords for every site.
Password Spraying
An estimated 16% of all breached passwords come from password spraying attacks that try to simply guess a weak password.
How it works: Password spraying is a technique that tries a list of commonly used passwords combined with a username, such as abc123, password1234, qwerty123, etc. The use of bots has streamlined this process by allowing hackers to try many variations quickly.
Recently, hackers have been getting more sophisticated by accessing information about the individual to create a custom list of commonly used passwords, such as a child’s name or birthdate.
How to stay safe: Always use a strong, unique password for every website containing letters, numbers, and symbols.
What to do if you suspect your account has been compromised
If you suspect an account has been compromised, the first thing you should do is change your password. By immediately changing your password, you can stop further suspicious activity on that account while you assess the damage.
If you suspect fraud, contact your IT team or customer support for the website you suspect was breached.
Long, Unique, Complex
According to the National Cybersecurity Alliance, keep in mind three guiding principles when creating a password:
- Long – Every password created should be at least 12 characters long.
- Unique – Never reuse passwords. Every account should have its own unique password, and none of your passwords should be similar (for example, adding a “2” to the end of a password). That way, if one account is compromised, the breach will be contained.
- Complex – Every unique password should contain a combination of uppercase and lowercase characters along with numbers and symbols.
If the long, unique, complex principles are followed, you should never need to change your password except in cases where there may be a suspected breach or unauthorized access.
ALWAYS use Multi-Factor Authentication
Multi-factor or 2-factor authentication is an added level of password security that verifies the login using another method, such as a text message with a code, an authenticator app, FIDO2 key, biometrics, etc. It’s estimated 99.9% of all password attacks can be stopped by multi-factor authentication.
If you are using 2-factor authentication and receive a prompt not initiated by you, change your password immediately. Criminals are known to ask for your 2-factor code or ask you to grant an access request. Never give your 2-factor code to anyone.
It is crucial to always enable multi-factor authentication anywhere it is available. For more information about 2-factor authentication, check out our video by clicking here.
How to keep track of all those passwords
Password managers have emerged as a great way to keep track of long, unique, complex passwords. They are often browser extensions and phone apps that safely encrypt and store your password list and make it easy to log in.
According to Google, 75% of Americans are still frustrated with password management. As a result, many people sacrifice convenience over security. 2 out of 3 Americans use the same password for multiple sites, while about 60% use easy-to-guess passwords. Even those who take the time to personalize it often write them in a notepad that can be lost or stolen. Hackers tend to exploit these human behaviors, allowing them to access personal and financial information.
The team at www.passwordmanager.com has created tools and resources to educate users about the convenience and security of a good password manager.
Rely on a team of IT experts
For more information about how to keep your passwords safe or how to roll out the use of a password manager at your organization, contact tca SynerTech today.
