By Jonas Walker, FortiGuard Labs
It’s no surprise that bad actors love to find easy-to-exploit vulnerabilities, and weak passwords are at the top of that list. According to the Verizon 2022 Data Breach Investigations Report, stolen credentials led to nearly 50% of cyberattacks last year.
Once attackers use stolen passwords to access an individual’s account, they often walk away with a treasure trove of personal data, like banking details or other critical personal information. With this data, an attacker can carry out various malicious activities like stealing the individual’s identity, accessing their social media accounts, and spending money on their credit cards. As a result, it is crucial that strong passwords are used and frequently changed to prevent bad actors from gaining access.
How do hackers get passwords?
There are numerous tactics that clever attackers use to steal passwords. One example is social engineering – or phishing — where cybercriminals trick users into providing their credentials over email or text messages, clicking on malicious links, or visiting malicious websites. Another is traffic interception, where attackers use software like packet sniffers to monitor network traffic containing password information and capture credentials.
Additionally, the Conti ransomware leak disclosed how the most successful ransomware group of 2021 used information stealers and credential stuffing techniques, where the threat actor purchases leaked credentials from databases on various darknet markets. Unfortunately, many people use the same password and email combination for multiple websites. If only one of these combinations ends up in a database, it’s easy for threat actors to reuse this sensitive information to gain access to their victim’s environment.
Attackers are constantly finding new ways to compromise user credentials, making it nearly impossible to create a comprehensive list of how they might steal a password. That’s why we must learn to keep ourselves and our data safe online. A great place to start is by implementing passwords across accounts that are harder for attackers to steal.
Best practices for creating better passwords
What constitutes a strong password? Here are four simple tips for creating great passwords and better protecting yourself against a cyberattack.
- Create passwords that are impossible to forget but difficult for others to guess. While it might seem like a good idea to add numbers or special characters to common words and phrases to strengthen your password, attackers use multiple techniques to crack this approach. In a dictionary attack, for example, attackers use a list of common words to gain access to apps or websites in hopes that people use those words in their passwords. They also add numbers before or after those common words to account for people thinking that simply adding numbers before or after will make their password harder to guess. To make creating strong passwords easier, use a mnemonic device, such as the second letter of every word in a sentence you know or from the lyrics to an obscure a song, and mix in capitalization and special characters.
- Avoid using particular names, numbers, or phrases in your passwords. Keep your personally identifiable information – along with your favorite vacation destination, college, or sports team – out of your passwords. Avoid using the following in any password:
- Birthdays
- Phone numbers
- Company information
- Names, including movie titles and sports teams
- A simple obfuscation of a common word (“P@$$w0rd”)
Instead, use a combination of uppercase and lowercase letters and numbers and symbols, and create a password that’s at least 10 characters long.
- Use different passwords for each individual account. When you use the same password for multiple accounts, you’re increasing the amount of information an attacker can access about you if they’re able to steal your credentials. Suppose one of your accounts gets compromised, and your username and password are posted to the dark web. In that case, cybercriminals who know how often passwords are reused will start to plug that information into other accounts until they unlock ones that use the same credentials.
- Use a password manager to generate unique, long, complex, and easily changed passwords for all your online accounts. While following the password creation guidelines above is a solid start to improving your defenses against cyberattacks, don’t try to keep track of all of these passwords using a document or spreadsheet on your device (or a sticky note under your keyboard.) That is just inviting trouble. Instead, consider using a password manager as a more secure option. A password manager can generate unique passwords for each of your online accounts (or you can use your own), encrypts those passwords, and stores them in a local or cloud-based vault. Password managers make it easier to ensure you’re using the strongest passwords possible, as you only need to memorize a single password to access the vault.
More than just strong passwords
While individuals can follow best practices for creating strong passwords, IT and security teams should take additional steps to safeguard their organization and its employees from compromised passwords. Strong passwords are table stakes.
If you’re a security professional, consider implementing:
- Multi-factor authentication (MFA): MFA confirms the identity of users by adding a step to the authentication process, either through physical or mobile-based tokens. Adding a second step to verify a user’s identity ensures that a cybercriminal can’t access that individual’s account even if a password is compromised.
- Single sign-on (SSO): SSO allows users to use a single username and password across multiple applications within their organization. Using just one set of credentials improves security as bad actors have fewer opportunities to compromise an individual’s account.
- Cybersecurity training and education: As cyber threats continuously evolve and attackers introduce new techniques to steal data, every employee must know about cyber threats and how they can best protect themselves. Free training courses, such as those in Fortinet’s Network Security Expert series, help educate individual users on how to keep safe.
- Digital Risk Protection (DRP) service: DRP services that include external attack surface management (EASM), brand protection, and adversary-centric intelligence (ACI) are essential in stopping adversaries early in their campaign. For example, Fortinet’s FortiRecon continuously monitors and alerts for leaked credentials from your employees across the dark web, from underground and invite-only adversary forums, from open-source intelligence (OSINT) sources, and more.
Being aware of cybersecurity risks and attacker tactics is more important than ever in the workplace and at home. Using strong passwords, and changing them often, is a fundamental part of protecting personal information and digital assets.
Fortinet Training Institute Courses and Services Can Help
Fortinet offers a wide range of resources to individual users and organizations to help further address security issues, such as weak passwords that can open the door to cyber criminals. Via the Fortinet Training Institute, Fortinet offers free training courses to help establish a foundational understanding of best cyber security hygiene practices. Fortinet’s Security Awareness and Training service is also available to organizations that want to ensure all their employees, regardless of their role, can identify threat methods and prevent vulnerabilities and breaches.