Celebrating World Password Day
By Aaron Sandeen, CEO and Co-Founder of Cyber Security Works (CSW)
Passwords have been around since the beginning of the digital era. They’re here to protect our privacy and security and the security of the companies we work for. Actions like changing your password every few months and not reusing old passwords seem like standard practices; however, a recent report shows that 66% of employees reuse their password anyway.
For reasons like this, the people of tech giant, Intel, decided to found the day in 2013, now known as World Password Day, celebrated every first Thursday of May.
Recognizing password related cyberattacks
World Password Day is a day set aside to promote better password use and draw attention to the numerous password related assaults. Tackling every password related attack would be difficult, but addressing the problem of password reset poisoning plays an essential role in increasing organizational knowledge about better password use and vulnerability management.
Password reset is available in all online applications that use a login gateway. When a user forgets their password, this reset password option comes in handy. However, in many organizations, password reset poisoning is an attack in which the attacker acquires a victim’s password reset token and is now able to reset the victim’s password.
The issue arises when the application utilizes the host header to build the password reset link and then adds the user-supplied host header to the password reset link. Companies must be aware of this type of password attack to protect the privacy of their employees and the organization as a whole. While dealing with similar password related attacks, more vulnerabilities can be addressed, giving security teams peace of mind.
Recent password related cyberattacks
The following are examples from the first few months of 2022, where poor password hygiene led to different types of cyberattacks.
Ransomware group uses passwords stolen via RedLine malware
On March 20th 2022, Lapsus$ hacking group claimed to have leaked the source code for Bing, Cortana, and other projects stolen from Microsoft’s internal Azure DevOps server. The RedLine password stealer was used to take 37GB of source code allegedly belonging to Microsoft. Microsoft continues to track the Lapsus$ data extortion group as ‘DEV-0537’. DEV-0537 is also known to exploit vulnerabilities in Confluence, JIRA, and GitLab for privilege escalation.
Multi-factor authentication compromise, brute force password guessing attack
On March 15th 2022, the FBI announced that Russian state-backed hackers gained access to a non-governmental organization (NGO) cloud after enrolling its device in its Duo multi-factor authentication (MFA) system following the exploitation of misconfigured default MFA protocols. To breach the network, the hackers used credentials compromised in a brute force password guessing attack to access an unenrolled and inactive account that had not yet been disabled in the organization’s Active Directory.
On February 3rd 2022, LockBit ransomware operators claimed that they stole the PayBito database that contained 100,000 customers’ information across the United States and other countries worldwide. The information taken included email addresses and “weak” password hashes.
Cloud repo without password misused
A misconfigured Amazon S3 bucket belonging to Civicom was responsible for exposing thousands of audio and video recordings of the company’s clients. The S3 bucket was left exposed without any password or security authentication, meaning anyone with knowledge of how to find misconfigured databases could have accessed the data. This resulted in 8TB of stolen records.
How properly celebrate World Password Day
In a timely concern, many are worrying about the uptick in cyberattacks around the world due to the ongoing Ukraine and Russia conflict. Companies and individuals prioritizing cybersecurity practices have more reason to enhance their passwords throughout their portals and applications.
The best way anyone can commemorate this special day is to ensure your password meets the security standards. You’ll be doing what the day requires whilst also increasing your organization’s security. It’s crucial to be informed on safer password use more than ever. This will undoubtedly guarantee that the day is honored, especially since you’ll inspire everyone around you to do the same and be careful of their digital presence. We’ve summarised 5 top password tips below to help you to review your own digital security.
5 tips to create a strong password
Avoid using sequences of numbers or letters
While this seems like it’d be easier to remember, it’s also easier for others to guess! The general rule is that no element of your password should be repeated.
Aim for at least 8 characters and use a variety of characters
Many sites and platforms will enforce this rule automatically, but when you’re choosing a password you should always ensure it’s no less than 8 characters long, and that it is made up of a mixture of characters – numbers, symbols, and letters. This variety will add to the strength of your password, and to make it even harder to guess, throw a blend of upper and lower case characters into the content.
Don’t use the same password for all logins
Choosing the same password for a handful of sites is a recipe for disaster. If one of your passwords is picked up by a cybercriminal, they’ll likely use it to gain entry to other key accounts such as online banking platforms. While it might seem more convenient, this is one of the biggest red flags when it comes to password security.
Make sure you don’t include your birthday or year
Similarly, cybercriminals will utilise any personal information that they can find out about you. Want to prevent them from leveraging this? Don’t add your birthday or the year you were born to your passwords!
Use a password manager
Remembering your tactfully chosen passwords can feel like a chore, but there’s an easy way to combat this – and that’s by opting for a fully secure, password manager to store your all-important logins. Many are 100% encrypt, and they require multi-factor authentication. This way, your passwords are essentially stored in a vault, that only you can access!
About the Author
Aaron Sandeen is the CEO of Cyber Security Works (CSW), your organization’s early cybersecurity warning partner to prevent attacks before they happen.
Aaron leads CSW in helping organizations worldwide to continuously improve their security posture by mapping their vulnerabilities to real-world threats.