Breaches involving stolen credentials don’t surprise anyone these days. Those of us in infosec know too well that it’s a thousand times easier for the bad guys to gain access to a network and fly under the radar with a stolen login—often obtained through social engineering—than it is to get through cyber defenses. From the bad actors’ perspective, why pick the lock and trigger the security alarm when with a little savvy, you can steal the key and not raise any red flags for a long time? Although the recent hack of Facebook CEO Mark Zuckerberg’s social media accounts caused mostly personal brand damage, rather than a major data breach, it was a good reminder about the importance of using cybersecurity hygiene, such as strong passwords.
Two of last year’s major breaches are great examples of how dangerous weak or stolen passwords can be. In the case of Anthem, hackers succeeded in their attack after using the compromised credentials of several employees. Similarly, a government contractor’s credentials were used to give cybercriminals access to the massive database of the Office of Personnel Management (OPM).
Since compromised accounts can have serious consequences—such as multimillion-dollar losses to your company—and since many people use the same passwords both for personal and company accounts, this is a good time to review best practices for setting strong passwords.
How Hackers Get Your Login Credentials
It only takes one breach at the right company for millions of user names and passwords to become compromised. And we’ve seen plenty of those in the last few years. Evernote’s 50 million compromised accounts and Adobe’s 38 million (or more) are just two examples.
Although a Russian crime ring that reportedly stole 1.2 billion logins is likely using their haul to send spam and similar purposes, cyber thieves commonly sell stolen passwords on the dark market. More recently, the same security company that discovered the existence of that massive collection found that a Russian hacker had access to 1.17 billion credentials (and was willing to sell the whole batch for $1). Tens of millions of Google, Microsoft and Yahoo email logins were among those records, according to the firm Hold Security.
On the black market, stolen passwords are a commodity easily sold, bought and traded, albeit you’re less likely to find them for the bargain of $1. The reason they’re valuable is because cybercriminals know that average users would rather reuse the same passwords on multiple sites—and indefinitely—rather than try to memorize new passwords. So unlike credit cards numbers, which are only valuable for a short time, the window of opportunity with stolen passwords can stretch into years.
That’s how Zuckerberg’s Twitter and Pinterest accounts got hacked (his password was “dadada”). The group that claimed responsibility for the hack said it was the 2012 LinkedIn breach that gave them the way in. LinkedIn recently confirmed that some email and password information available on the dark web was linked to the breach, an incident which affected 117 million users’ accounts. Four years later, bad actors are still taking advantage of that breach—and of users who weren’t diligent enough to change their credentials on other sites.
Cybersecurity practitioners have been trying to solve the problem of passwords with various tools and tech. One method that’s becoming more common is to limit account logins to whitelisted IP addresses. It’s especially easy to do if you use a vendor like Salesforce because many of those types of cloud providers are offering built-in capabilities to do it. And it’s effective since hackers can’t use the stolen passwords outside of those IP addresses.
How to Create Strong Passwords
The first rule for a secure account is to create a password that is unique but memorable. While many people obey the latter, they disregard the former. Consider the most popular passwords: “123456,” “password” and “12345” are the top three, and others in the top 20 are “abc123,” “princess” and “login.” While they’re certainly memorable, they fail in the uniqueness category. They certainly aren’t strong passwords!
Some users think they are clever by adding variations such as substituting the letter o with the number 0 (“passw0rd” is another popular choice), but bad actors are just as clever and they’ll try multiple variations of popular passwords. Unfortunately, they have various automated tools at their disposal that makes the process of authenticating credentials very efficient.
Here are some techniques you can use to create strong passwords:
Length: Many websites allow as few as five or six characters, but that’s not enough. You need at least 12 for any account that has sensitive information and at least eight for all others.
Variety: When allowed, use everything you’ve got—not just letters but also capital letters, numbers and symbols. Each one of those categories that you add to the mix increases the password’s strength exponentially.
Readability: If you can find the word in the dictionary, do not use it. That includes compound words or combinations.
Personalization: Don’t use any names that can be associated with you, like family, pets, or locations. It’s surprising how many people still ignore this basic rule.
Recognition: Avoid patterns because that’s what bad actors will use to crack passwords. The most commonly used patterns are an upper case letter with six lower cases and two digits, an upper case with five lower case letters and three digits, and three lower cases with five digits.
Once you’ve created strong passwords, add two more steps to your account security process. One, use a secure and reputable password manager instead of storing passwords in unsecured locations, including unencrypted cloud drives. And two, whenever two-factor authentication is available, turn it on. It may add a few seconds to your login as you wait for the authorization code to be texted to you, but it’s the simplest way to add another layer of protection to your account since chances of your mobile phone falling into the hands of hackers are very slim.
Like anything else, changing habits can be hard, but when it comes to passwords, you’ll be glad you did. Even if you’re not famous and the harm to your reputation would be minimum if your social media account were hacked, the consequences can be much more serious.
Don’t forget to change your passwords regularly, especially if the service or provider doesn’t require it. Think of it like testing the batteries in your fire alarm—you know you have to do it a couple of times a year, and many people do it when they have to turn their clocks forward or back, so it’s easy to remember. Create similar timelines in your schedule for changing the passwords, and you’ll be all set.
If your systems have been comprised though, you can use Tripwire to monitor for unauthorized changes to ensure your systems stay secure and you can isolate the damage. Learn more here.
About the Author: Sekhar Sarukkai is a Co-Founder and the Chief Scientist at Skyhigh Networks, driving future innovations and technologies in cloud security. He brings more than 20 years of experience in enterprise networking, security, and cloud service development.
Editor’s Note: The opinions expressed in this guest author article are solely those of the contributor, and do not necessarily reflect those of Tripwire, Inc.