VentureBeat presents: AI Unleashed – an exclusive event for enterprise data executives. Network and learn with industry colleagues. Learn more
“Choose a combination of letters, numbers, special characters, and upper/lower case.” “Don’t use passwords for multiple accounts.” “Set a password you’ve never used before.”
Everyone has seen these types of messages and companies repeat them all the time.
Nobody likes passwords (they can seem like a chore) and people tend to cut corners and be careless – administrators included.
In fact, alarmingly, according to a recent study by cybersecurity firm Outpost24, system administrators use “admin” the most, followed by others that are surprisingly easy to guess or are simply the default during initial setup and login.
An exclusive evening of insights and networking open to invited guests only. It is aimed at business leaders who oversee data stacks and strategies.
“As our personal and work lives move more and more online, we really need to change our approach to passwords,” Darren James, senior product manager at Outpost24, told VentureBeat. “Using the same, easy-to-guess, short passwords across multiple systems makes it easy to remember but also extremely vulnerable to attacks.”
The 20 best admin passwords according to a study by Outpost24
Outpost24’s ongoing monitoring and intelligence gathering identified around 1.8 million passwords. “Admin” had more than 40,000 entries, followed by “12345,” “12345678,” “1234,” and “Password.”
This is consistent with research on cyberattacks: The Verizon Data Breach Investigations Report, for example, found that one of the three main ways attackers gain access to an organization is by stealing credentials (as well as phishing and exploiting security vulnerabilities).
Additionally, nearly three-quarters (74%) of breaches are due to human error using stolen credentials, privilege abuse, and social engineering.
Attackers are increasingly using more specialized malware to steal passwords (stealers). Once installed – for example, when a user clicks on a fake attachment – they stay in the background and collect information about them, such as: B. Logins in web browsers, FTP clients, email clients and wallet files.
Another way for threat actors to steal passwords is through brute force attacks, or trying out different combinations of passwords or passphrases in the hopes of eventually guessing the right one – which wouldn’t be difficult in the case of the login information collected by OutPost24. In addition, they practice credential stuffing, i.e. trying out passwords obtained from one account on another.
Administrators are people too
So most of us know the risks – why are we still so lazy when it comes to passwords?
James noted that it’s not just the user’s fault. Organizations and services must have the right policies and tools in place that can support good password policies.
Many systems are still based on old, short passwords – seven to 12 characters – that were used before the Internet became a way of life. Organizations don’t often provide users with instructions on how to change passwords, so they follow predictable patterns, such as just ending up swapping out a number when asked to change their password (let’s face it, we’re all guilty of this). made). ).
But shouldn’t administrators know better by now?
“It’s important to stamp out bad admin passwords, but they’re only human and like the rest of us, they take shortcuts,” said James.
Practice good safety hygiene
Default passwords should be changed automatically the first time they are used, James said – this should be a company requirement.
Organizations should also ensure they have the right policies in place that apply to the right people. Admins should have two accounts: one for their non-admin work (keeping track of emails, conducting research) and another password for their admin role.
“You should be forced to use long, strong and invulnerable passwords for these accounts – and unfortunately I would still recommend that administrators change them regularly,” James said.
Additionally, multi-factor authentication (MFA) should be enabled for administrator accounts if possible. Additionally, administrators should consider using a password manager if they find themselves overwhelmed by too many passwords – and remembering them without writing them down or storing them in documents or emails, which can create even more security problems.
Such a management system should always have a secure passphrase, which is longer than passwords and therefore more difficult for hackers to guess. For example, James said, three random words consisting of 15 characters that have meaning to the user.
There’s no need for complexity, James said, and it can be continuously scanned for a violation: “You don’t even have to change it.”
Passwords don’t disappear, so be vigilant
These days, it’s not uncommon for many of us to have dozens or perhaps even hundreds of passwords, and James points out that “assigning unique passwords for each system we log into is overwhelming for most of us create.”
In addition to avoiding the obvious (staying away from default passwords), James advised using anti-malware tools and continually scanning credentials to ensure they haven’t been hacked. Scanning can also determine if these logins are used across multiple accounts. Another important practice is to disable browser password saving and autofill settings.
Also, watch out for domain typosquatting (when hackers register domains with intentionally misspelled names of popular websites), he emphasized, and make sure you were redirected to the correct websites after clicking on ads.
Passwords and passkeys are new methods of improving cybersecurity, but James said these are still a long way from being viable. “Until this authentication utopia arrives (don’t hold your breath),” companies must emphasize best practices and use the tools at their disposal.
For those who have been diligent about creating strong, long and complex passwords and are upset by Outpost24’s results, James offers the encouraging answer: “Keep it up!”
At the same time, keep your eyes open and “preach to your colleagues around you,” he said.
Ultimately, “passwords, whether we like them or not, will remain an important part of the authentication process for the foreseeable future,” James said. “It is therefore extremely important that we try to use them correctly, as even a single compromised ID can expose your entire infrastructure or your private life.”
VentureBeat’s mission is intended to be a digital town square for technical decision-makers to learn and transact about transformative enterprise technology. Discover our briefings.
Source : venturebeat.com