Another week, another article stressing the importance of good password management from the NCSC. Rather than explaining good password management, let’s explore why you should care about this technique as a cyber defence.
The NCSC have recently reported a heightened number of hackers using stolen credentials to gain access to accounts, a technique known as credential stuffing.
Most accounts, be it for personal use or business, require you to follow best practice when selecting a password, making it more difficult for hackers to compromise accounts and data. Yet if your passwords are leaked across the dark web, how exactly can good password management help? Good chances are your company has a password policy in place, often implemented logically too. Yet should you be doing more to protect yourself and your business and if so, what?
NCSC and other best practice institutions offer advice on how to manage your passwords, what good looks like and how businesses can update their approach to help organisations manage cyber risk.
When selecting a user generated password NCSC currently advises to adopt the three random word technique. Choosing three random words allows it to be memorable to the user, but harder for a hacker to guess.
So, why are strong passwords so important? In 2021 IBM stated that compromised credentials are the most common initial attack vector, responsible for 20% of data breaches. 51% of people use the same passwords for work and personal accounts. This increases the likelihood of a hacker gaining access to a company’s infrastructure should they obtain an employee’s personal credentials. The consequences of this can be catastrophic.
Let’s look at two case studies:
- In 2021 the North American colonial pipeline was hit by a ransomware attack which caused gas shortages across America, just one example of a cyber-attack having a real world impact. This was a significant attack against critical national infrastructure, that even had the FBI involved to track down some of the paid ransom. Reports now indicate that the initial breach came from a compromised VPN account, via a password leak containing over 8.4 billion credentials (dark web password leak RockYou2021). Breaches like these pave the way for hackers and threat actors to brute force their way into accounts and networks;
- In the same year the United Nations itself fell victim to a cyber-attack, again due to compromised credentials (unconfirmed whether UN or third party), combined with a lack of multifactor authentication. Hackers were able to move laterally within the network gaining access to confidential information.
Poor password management has the ability to lead to the cyber compromise of an organisation.
Using the same login credentials across both business accounts and personal accounts is a key issue that companies combat everyday. It’s imperative that users are not only made aware of the risk through training and regular updates, but that the users then act upon that advice. Brute forcing password attacks are made all too easy when a previously compromised account had the password “Password123” and the newly changed password is “Password12345!”
This article started with the question should you being doing more to protect yourself and your business? The answer is yes, you can and you should. Businesses have an obligation to aid users in managing their credentials, ensuring strong passwords are utilised from the get go, but after that users are the first line of defence for an organisations cyber security posture. Users need to follow the latest guidance and play their part in keeping your organisation protected. The above case studies are just two of the most notable in recent years, but your organisation could be next.
Gemserv’s Cyber Threat Intelligence service cuts through the noise and gives actionable insights on the threats facing your business – including credential leaks on the dark web. For more information on Gemserv’s threat intelligence services, get in contact with us.