Search This Blog

Showing posts with label Password Manager. Show all posts

Attackers are Exploiting Weak Password Policy of Internet Users

 

A new report by vulnerability management firm Rapid7 disclosed that hackers attempt very simple usernames and passwords to breach third-party systems. 

The researchers employed a few hundred honeypots over 12 months to examine how hackers try to remotely breach foreign networks using the two most widely utilized types of remote administration systems - secure shell protocol and remote desktop protocol. 

Interestingly, threat analysts unearthed 512 thousand of cases in which the attackers could enter information from a well-known file called RockYou2021.txt that has close to 8.4 billion passwords employed by users. 

"We know now, provably and demonstrably, that nobody — 0% of attackers — is trying to be creative when it comes to unfocused, untargeted attacks across the Internet. Therefore, it's straightforward to avoid this kind of opportunistic attack, and it takes very little effort to take this threat off the table entirely, with modern password managers and configuration controls,” Tod Beardsley, director of research at Rapid7 stated. 

According to an analysis by cybersecurity firm ESET, the exploitation of common passwords has risen dramatically during the COVID-19 pandemic, with password guessing becoming the most popular method of attack in 2021. To infiltrate third-party systems, the hackers employ usernames such as “user” or “admin” and passwords such as “123456”, “123456789” and “qwerty”. 

This emphasizes the poor choice of internet users while setting passwords. Last year in October, a cybersecurity researcher in Tel Aviv, Israel, discovered he could recover the passwords to 70% of the wireless networks as he pedaled past, often because they used a cellphone number as the password.

"With the increasing adoption of both remote work and cloud infrastructures, the number of people accessing corporate information systems across the internet has skyrocketed," Rapid7 added in its report. "As with so many things in security, the addition of convenience and complexity has made the task of protecting these systems far more challenging." 

Mitigation Tips 

The researchers recommended organizations lock down RDP, including limiting all remote access attempts to only hosts that have been legitimized first via the corporate VPN, as well as changing the default RDP port to automatically sidestep many automated attacks. Organizations should also encourage employees to use password managers. 

Additionally, the businesses can employ a free tool such as Defaultinator, which Rapid7 designed to audit SSH and RDP endpoints, to ensure that production systems aren't using default passwords.









































































































Shopify Risking Customers Data by Employing Weak Password Policy

 

Specops Software, a password manager, and authentication solutions vendor published a new report this week disclosing that e-commerce giant, Shopify with more than 3.9 million live websites globally, employs weak password policies on the user-facing section of its website. 

To create a Shopify account, users only need to create a password that is at least five characters in length and that does not begin or end with a space. 

Threat analysts at Specops examined a list of a billion breached passwords and unearthed that nearly every (99.7%) of those passwords comply with Shopify's requirements. However, this does not mean that Shopify customers' passwords have been breached, in fact, it only highlights the threats linked with using weak passwords. 

Shopify headquartered in Ottawa, Ontario was founded in 2006 by Tobias Lütke, Daniel Wenand, and Scott Lake following the trio's failure to find a suitable off-the-shelf e-commerce platform for a planned snowboarding store, Snowdevil. 

Risk of using weak passwords 

According to security analysts at Specops, password attacks work because the majority of businesses require users to set short-length passwords. For example, starting with a common word, followed by a number and/or special character. The length of the password is also very defensive. 

Earlier this year, Hive Systems, a cybersecurity firm, analyzed the amount of time required to brute force crack passwords of multiple lengths and with different levels of complexity. The security analysts discovered that a five-character password can be easily breached, irrespective of complexity. Given the ease with which hackers can crack shorter passwords, organizations ideally require complex passwords that are at least 12 characters in length. 

Enterprises risking users’ data safety 

According to the survey conducted by identity management vendor Hitachi ID, nearly 46% of enterprises store corporate passwords in office documents like spreadsheets making them vulnerable to a significant cyber threat. Hitachi ID surveyed 100 executives across EMEA and North America to recognize better how secure their password management is. 

It suggests that businesses aren’t practicing what they preach because almost all (94%) participants asserted they need password monitoring training, with 63% claiming they do so more than once a year.

Enhancing IT security 

This, of course, raises the question of what businesses require to strengthen their overall password security. Perhaps the most critical recommendation would be to set a password requirement that is longer and more complex than what is currently used. Businesses can employ Windows operating systems containing account policy settings to control password length and complexity requirements.

Additionally, organizations can use Specops Password Policy to restrict users from designing passwords vulnerable to dictionary assaults by blocking commonly employed passwords. This might include using consecutive repeating characters (such as 99999) or replacing letters impersonating symbols (such as $ instead of s).

Google Announces Password Manager Updates to Enhance User Security

 

Last week, Google updated its Password Manager service dedicated to users who have been facing troubles with their passwords. 

The users using the Chrome browser can now utilize Google Password Manager's auto-fill option to enable the browsers to remember the passwords and keep them in memory of all the sites which the users are visiting, the company told in a blog post. 

Earlier, users were allowed to add passwords to Google Password Manager only when Google used to prompt the user to enter the password; now, they can manually add passwords at any time. 

Although Google is not yet comfortable with making Password Manager a standalone app, users on Android can now add a shortcut to it on the home screen. Customers can use their iPhones to generate unique, strong passwords for their apps when they opt for Chrome as the default autofill provider. 

Additionally, the built-in Password Checkup feature on Android is receiving an upgrade of its own too. Beyond checking for hacked credentials, it can further highlight weak and reused passwords à la Apple iOS. Google is also expanding the compromised password warnings to Chrome users across all operating systems. 

Last but not least, Google is launching a new "Touch-to-Login" to Chrome on Android that allows users to sign in to websites with a single tap after entering the credentials with autofill. It's worth noting that Apple implemented a similar feature in Safari with iOS 12.2. 

According to Google's blog post, the latest updates and added features have been designed at the Google Safety Engineering Center, where the privacy and security experts work on creating a secured ecosystem for the customers. 

The blogpost further stated, “Of course, our efforts to create a safer web are a truly global effort – from our early work on 2-step verification to our future investments in technologies like passkeys – and these updates that we are rolling out over the next months are an important part of that work.” 

The announcement comes after Verizon’s 2022 Data Breach Investigations Report highlighted that compromised credentials accounted for almost 50% of data breaches.

New Specops Password Policy Detects and Blocks in User's Active Directory

 

Specops Software, a password manager, and authentication solutions vendor published a new report this week explaining how the company’s breached password protection policy can spot over 2 billion known breached passwords in users' Active Directory. 

Specops Breached Password Protection offers a service that scans a user’s Active Directory passwords against a dynamically updated list of vulnerable passwords. The list contains over 2 billion passwords from known data leak incidents as well as passwords used in real assaults happening currently. 

Specops also restrict users from designing passwords vulnerable to dictionary assaults by blocking commonly employed passwords. During a password change, the password scanner blocks any passwords identified in the database with a dynamic response for end-users. Additionally, it designs a custom dictionary containing potential passwords relevant to users work place, including firm names, locations, services, and relevant acronyms. 

According to security analysts at Specops, password attacks work because users set predictable passwords. When asked to set a complex password, users employ familiar steps that attackers can easily crack. For example, starting with a common word, followed by a number and/or special character. The length of the password is also very defensive. 

Specops scanned over 800 million known exploited passwords, up to 83% of passwords were present in vulnerable password databases meaning they were unable to meet regulatory password standards. To finalize the result, security analysts compared the construction rules of 5 different standards against a dataset of 800 million exploited passwords. 

“You can install Specops Password Auditor on any workstation that’s joined to your Active Directory. From the outset, you can download a database from us, which is updated every three months, based on the biggest leaks that have happened in that three-month period, plus the most common hits against our master database, Darren James, password and authentication analyst from Specops explained.

The database downloaded by the user consists of over 800 million of the most commonly breached and leaked password hashes, while our master database, updated daily, contains 2.6 billion hashes. You can export reports showing the results into a script or document to send to members of your organization. From here, Password Policy helps to solve the problem by eliminating breaches and weak passwords and ensuring that passwords are compliant.” 

LastPass Says No Passwords Were Stolen in Latest Security Threat

 

Near the end of December 2021, multiple users of password manager firm LastPass reported that their master passwords were compromised after they received alerts via email that someone from an unknown location attempted to log in to their accounts.

The email notifications also mention that the account access was blocked due to the unknown location where the attempt was made. "Someone just used your master password to try to log in to your account from a device or location we didn't recognize," the login alert says. “LastPass blocked this attempt, but you should take a closer look. Was this you?" 

Reports of compromised LastPass master passwords have been circling in social media sites such as Twitter, Reddit, and Hacker News after a LastPass user created a post to highlight the issue. He claims that LastPass warned him of a login attempt from Brazil using his master password. 

This led to speculation that vulnerability in LastPass sever allowed attackers to steal leaked master passwords, as these emails only arrive if the unauthorized person logs in with the correct password. However, this seemed unlikely, as LastPass clarified that it doesn’t store master passwords on its servers.

"LastPass investigated recent reports of blocked login attempts and determined the activity is related to fairly common bot-related activity, in which a malicious or bad actor attempts to access user accounts (in this case, LastPass) using email addresses and passwords obtained from third-party breaches related to other unaffiliated services,” LogMeIn Global PR/AR Senior Director Nikolett Bacso-Albaum told BleepingComputer. 

"It’s important to note that we do not have any indication that accounts were successfully accessed or that the LastPass service was otherwise compromised by an unauthorized party. We regularly monitor for this type of activity and will continue to take steps designed to ensure that LastPass, its users, and their data remain protected and secure," Nikolett added. 

However, users of LastPass who received these warnings have said that their passwords were only used to log in to LastPass and not used elsewhere. To mitigate further threats, security researchers have recommended LastPass users enable multifactor authentication to guard their accounts even if their master password was not compromised.