Search This Blog

Showing posts with label Password Policy. Show all posts

Attackers are Exploiting Weak Password Policy of Internet Users


A new report by vulnerability management firm Rapid7 disclosed that hackers attempt very simple usernames and passwords to breach third-party systems. 

The researchers employed a few hundred honeypots over 12 months to examine how hackers try to remotely breach foreign networks using the two most widely utilized types of remote administration systems - secure shell protocol and remote desktop protocol. 

Interestingly, threat analysts unearthed 512 thousand of cases in which the attackers could enter information from a well-known file called RockYou2021.txt that has close to 8.4 billion passwords employed by users. 

"We know now, provably and demonstrably, that nobody — 0% of attackers — is trying to be creative when it comes to unfocused, untargeted attacks across the Internet. Therefore, it's straightforward to avoid this kind of opportunistic attack, and it takes very little effort to take this threat off the table entirely, with modern password managers and configuration controls,” Tod Beardsley, director of research at Rapid7 stated. 

According to an analysis by cybersecurity firm ESET, the exploitation of common passwords has risen dramatically during the COVID-19 pandemic, with password guessing becoming the most popular method of attack in 2021. To infiltrate third-party systems, the hackers employ usernames such as “user” or “admin” and passwords such as “123456”, “123456789” and “qwerty”. 

This emphasizes the poor choice of internet users while setting passwords. Last year in October, a cybersecurity researcher in Tel Aviv, Israel, discovered he could recover the passwords to 70% of the wireless networks as he pedaled past, often because they used a cellphone number as the password.

"With the increasing adoption of both remote work and cloud infrastructures, the number of people accessing corporate information systems across the internet has skyrocketed," Rapid7 added in its report. "As with so many things in security, the addition of convenience and complexity has made the task of protecting these systems far more challenging." 

Mitigation Tips 

The researchers recommended organizations lock down RDP, including limiting all remote access attempts to only hosts that have been legitimized first via the corporate VPN, as well as changing the default RDP port to automatically sidestep many automated attacks. Organizations should also encourage employees to use password managers. 

Additionally, the businesses can employ a free tool such as Defaultinator, which Rapid7 designed to audit SSH and RDP endpoints, to ensure that production systems aren't using default passwords.

Shopify Risking Customers Data by Employing Weak Password Policy


Specops Software, a password manager, and authentication solutions vendor published a new report this week disclosing that e-commerce giant, Shopify with more than 3.9 million live websites globally, employs weak password policies on the user-facing section of its website. 

To create a Shopify account, users only need to create a password that is at least five characters in length and that does not begin or end with a space. 

Threat analysts at Specops examined a list of a billion breached passwords and unearthed that nearly every (99.7%) of those passwords comply with Shopify's requirements. However, this does not mean that Shopify customers' passwords have been breached, in fact, it only highlights the threats linked with using weak passwords. 

Shopify headquartered in Ottawa, Ontario was founded in 2006 by Tobias Lütke, Daniel Wenand, and Scott Lake following the trio's failure to find a suitable off-the-shelf e-commerce platform for a planned snowboarding store, Snowdevil. 

Risk of using weak passwords 

According to security analysts at Specops, password attacks work because the majority of businesses require users to set short-length passwords. For example, starting with a common word, followed by a number and/or special character. The length of the password is also very defensive. 

Earlier this year, Hive Systems, a cybersecurity firm, analyzed the amount of time required to brute force crack passwords of multiple lengths and with different levels of complexity. The security analysts discovered that a five-character password can be easily breached, irrespective of complexity. Given the ease with which hackers can crack shorter passwords, organizations ideally require complex passwords that are at least 12 characters in length. 

Enterprises risking users’ data safety 

According to the survey conducted by identity management vendor Hitachi ID, nearly 46% of enterprises store corporate passwords in office documents like spreadsheets making them vulnerable to a significant cyber threat. Hitachi ID surveyed 100 executives across EMEA and North America to recognize better how secure their password management is. 

It suggests that businesses aren’t practicing what they preach because almost all (94%) participants asserted they need password monitoring training, with 63% claiming they do so more than once a year.

Enhancing IT security 

This, of course, raises the question of what businesses require to strengthen their overall password security. Perhaps the most critical recommendation would be to set a password requirement that is longer and more complex than what is currently used. Businesses can employ Windows operating systems containing account policy settings to control password length and complexity requirements.

Additionally, organizations can use Specops Password Policy to restrict users from designing passwords vulnerable to dictionary assaults by blocking commonly employed passwords. This might include using consecutive repeating characters (such as 99999) or replacing letters impersonating symbols (such as $ instead of s).