{"id":2499,"date":"2018-11-14T12:00:36","date_gmt":"2018-11-14T12:00:36","guid":{"rendered":"https:\/\/www.empowerbpo.com\/blog\/?p=2499"},"modified":"2023-04-17T13:17:21","modified_gmt":"2023-04-17T13:17:21","slug":"strong-passwords","status":"publish","type":"post","link":"https:\/\/www.empowerelearning.com\/blog\/strong-passwords\/","title":{"rendered":"What makes strong passwords so important?"},"content":{"rendered":"<p>On Sept 5, 2018, law enforcement alerted Inova Health of a data breach. It appears that their billing systems were accessed by a bad actor using an employee\u2019s credentials first in January 2017, and then again, between July-October 2017. The breach has impacted 12,331 patients.<\/p>\n<p>An article by <a href=\"https:\/\/www.databreaches.net\/inova-health-notifies-patients-after-law-enforcement-alerts-them-to-breach-that-began-in-2016\/\" rel=\"nofollow noopener\" target=\"_blank\">Databreaches.net<\/a> points rightly at the source of the problem- <em>if Inova Health systems were being accessed repeatedly once in January then again in July-October with the same credentials, then neither did the employee change their password, nor did the system require that the employee should do so. <\/em><\/p>\n<h3><strong>Why should the Inova Health breach concern you?<\/strong><\/h3>\n<blockquote><p><em>Password re-use can cripple even the most secure systems.<\/em><\/p>\n<p><em>&#8211; Travis Smith, Tripwire<\/em><\/p><\/blockquote>\n<p><em>Lori Macvitte of F5<\/em> <a href=\"https:\/\/www.f5.com\/company\/blog\/credential-stuffing-what-is-it-and-why-you-should-worry-about-it\" rel=\"nofollow noopener\" target=\"_blank\">writes<\/a> of a 2012 study done by CSID. The CSID researchers found that three-fifth of the Internet users reuse passwords on multiple sites. Some of the major password habits of American consumers are listed below:<\/p>\n<ul>\n<li><strong>61% reuse passwords<\/strong> among multiple websites.<\/li>\n<li><strong>54% have only five passwords<\/strong> or less.<\/li>\n<li><strong>44%<\/strong> change their password only once a year or less.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<h3><strong>How bad password habits hurt your business?<\/strong><\/h3>\n<p>According to the National Institute of Standards and Technology (NIST), stolen or weak passwords were the real cause of more than <a href=\"https:\/\/www.fbi.gov\/contact-us\/field-offices\/portland\/news\/press-releases\/fbi-tech-tuesday-building-a-digital-defense-with-robust-passwords\" rel=\"nofollow noopener\" target=\"_blank\"><strong>80% of hacking-related breaches<\/strong><\/a>.<\/p>\n<p>Let&#8217;s consider the situations listed below:<\/p>\n<ol>\n<li>If your employees use their official email address as username to access the company network, then attackers only need to find their passwords; and if any of the employees has reused the password on an external site, and if that website gets hacked \u2013 the attacker would also gain the access to your network.<\/li>\n<li>If your customers or vendors are in the habit of reusing passwords and email addresses across multiple sites; and, if they have reused any of them at work- the attackers could hack your office network by hacking those websites.<\/li>\n<li>If your employees, customers or partners aren\u2019t in the habit of creating strong passwords, the attacker can hack your network using credential stuffing.<strong>\u00a0<\/strong><\/li>\n<\/ol>\n<p><strong><em>Hey, but isn\u2019t 2012 ancient history?<\/em> Not really- \u00a0\u00a0<\/strong><\/p>\n<ul>\n<li>A 2018 LastPass survey of their customers found that <a href=\"https:\/\/lp-cdn.lastpass.com\/lporcamedia\/document-library\/lastpass\/pdf\/en\/IAM_LastPass_SOTP_ebook.pdf\" rel=\"nofollow noopener\" target=\"_blank\">50% people<\/a> do not create different passwords for personal and work accounts.<\/li>\n<li>Another 2018 survey by the information destruction company Shred-It, too, found that 51% of consumers reuse their passwords and pins across multiple accounts.<\/li>\n<\/ul>\n<p><em>Certainly, bad password habits aren\u2019t history. People still reuse passwords; and they still create easy-to-use passwords. <\/em><\/p>\n<h3><strong>How hackers steal passwords and usernames?<\/strong><\/h3>\n<p>If your employees use their email addresses as username- it\u2019s a hack made easy. Consider the techniques listed below. Attackers can use them, and get corporate email addresses easily.<\/p>\n<ol>\n<li>View the \u201cContact Us\u201d page of your company website.<\/li>\n<li>View the author page.<\/li>\n<li>Use LinkedIn to build rapport, and get the email address.<\/li>\n<li>Reach out on Twitter.<\/li>\n<li>Subscribe to your prospect&#8217;s email list.<\/li>\n<li>Use CRMs or LinkedIn Sales Navigator.<\/li>\n<\/ol>\n<p>Now consider the techniques that criminals could use to collect passwords:<\/p>\n<ol>\n<li>By collecting personal information of employees from the Internet, and guessing at words and numbers related to them.<\/li>\n<li>By searching computers and the office network for passwords.<\/li>\n<li>With dictionary attacks \u2013 by entering words in a dictionary as password.<\/li>\n<li>With social engineering attacks, like phishing and whaling.<\/li>\n<li>By shoulder surfing or going through the material on an employee\u2019s desk, like sticky notes and whiteboards.<\/li>\n<\/ol>\n<p>Else, they could just buy credentials from the dark-web, and hammer your network with password and login combinations. Consider the following new items:<\/p>\n<ol>\n<li><a href=\"https:\/\/securityboulevard.com\/2018\/07\/credential-stuffing-list-containing-111-million-records-found-online\/\" rel=\"nofollow noopener\" target=\"_blank\">Credential stuffing list containing 111 million records found online<\/a> (July 10, 2018)<\/li>\n<li><a href=\"https:\/\/securereading.com\/42-million-records-of-credential-stuffing-data-discovered-on-the-free-hosting-service-kayo-moe\/\" rel=\"nofollow noopener\" target=\"_blank\">42 Million records of credential stuffing data discovered on the free hosting service kayo.moe<\/a> (14 September 2018)<\/li>\n<\/ol>\n<p>Remember the 2012 LinkedIn incident? Attackers stole 6.5 million passwords from LinkedIn servers.<\/p>\n<h3><strong>Do brute force attacks really work? <\/strong><\/h3>\n<p>The two news items listed below aren\u2019t even a month old:<\/p>\n<ul>\n<li>On November 2, 2018, <a href=\"https:\/\/www.healthcareinfosecurity.com\/hsbc-bank-alerts-us-customers-to-data-breach-a-11685\" rel=\"nofollow noopener\" target=\"_blank\">HSBC reported<\/a> that unauthorized users were accessing their US Accounts (less than 1%) using personal information (including passwords) obtained from other sources.<\/li>\n<li>On October 30<sup>th<\/sup>, 2018, <a href=\"https:\/\/www.telegraph.co.uk\/technology\/2018\/10\/30\/eurostar-forces-customers-reset-passwords-data-breach\/\" rel=\"nofollow noopener\" target=\"_blank\">the Telegraph reported<\/a> that Eurostar had to force all customers to reset passwords after the data breach.<\/li>\n<\/ul>\n<p>Both incidents are suspected to be credential stuffing attacks. A recently published report on credential stuffing underlines the problem. As per the report, Akamai customers were hammered by nearly <strong>30 billion malicious login attempts<\/strong> between November 2017 and June 2018. That\u2019s 3.5 billion attempts a month.<\/p>\n<p>Out of them, <strong>8.3 billion<\/strong> were recorded between May and June, only.<\/p>\n<h3><strong>What is credential stuffing?<\/strong><\/h3>\n<p>Simply stating, credential stuffing is an automated attack on your network by a botnet which hammers your network with login credentials until a set of credentials is accepted as legitimate.<\/p>\n<h3><strong>Bad password habits and credential stuffing<\/strong><\/h3>\n<p>In essence, credential stuffing is just another brute force attack. Unfortunately, if either an employee, or customer, or partner has had bad password habits \u2013 they have reused passwords, or used weak or fairly common passwords \u2013 the attacker would gain access to your network.<\/p>\n<h4><strong>Consider the examples shared on the OWASP website<\/strong><\/h4>\n<ul>\n<li>The 2014 <strong>JP Morgan Chase<\/strong> breach: The breach compromised information for 76 million households and 7 million small businesses. The attackers used employee credentials which they obtained by targeting an athletic race\/run site, which was sponsored by JPMC and was open to bank employees to participate.<\/li>\n<li>The 2012 <strong>Dropbox <\/strong>breach: Attackers used credentials stolen from other sites to try to login to Dropbox accounts.<\/li>\n<li>The 2012 <strong>Yahoo<\/strong> breach and the 2011 <strong>Sony<\/strong> breach are also the cases of credential stuffing, which occurred because users had used common passwords across sites.<\/li>\n<\/ul>\n<p>In all the <a href=\"https:\/\/owasp.org\/www-community\/attacks\/Credential_stuffing\" rel=\"nofollow noopener\" target=\"_blank\">cases<\/a> stated above, attackers gained access to the victim website only because people had bad password habits.<\/p>\n<h3><strong>The DOs and DON\u2019Ts of password security<\/strong><\/h3>\n<ol>\n<li>\n<h4><strong>Create strong passwords<\/strong><\/h4>\n<\/li>\n<\/ol>\n<ul>\n<li>Use<strong> two things<\/strong> that you like and separate them with <strong>numbers and symbols<\/strong>.<\/li>\n<li>Base the password on a <strong>phrase<\/strong>.<\/li>\n<li>Use a<strong> picture<\/strong> or a series of pictures to frame the password.<\/li>\n<li>Create\u00a0<strong>unique<\/strong>, <strong>randomized<\/strong> passwords<\/li>\n<li>Create\u00a0<strong>complex <\/strong>passwords:\n<ol>\n<li>They should include at least three of these four character types- lower case letters (a,b,c &#8230; z), uppercase letters (A,B,C &#8230; Z), digits (0,1,2 &#8230; 9) and special characters (*,&amp;,$ &#8230;).<\/li>\n<li>They should not be dictionary words, or be dictionary words with a single-character prefix or suffix, such as Dictionary1 or 3spaGhetti.<\/li>\n<li>Passwords should not contain more than two repeated letters in a row (&#8220;biNNNkie3?&#8221;) or more than two letters in alphabetical or keyboard sequence (&#8220;qWEr%94&#8221;, &#8220;cDeF%94a&#8221;).<\/li>\n<\/ol>\n<\/li>\n<li>Use the longest password that you can remember. Create passwords that are <strong>10 characters or longer<\/strong>. They are harder to crack.<\/li>\n<li>Use this tool to <a href=\"https:\/\/howsecureismypassword.net\/\" rel=\"nofollow noopener\" target=\"_blank\">test the strength of your password<\/a>.<strong>\u00a0<\/strong><\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ol start=\"2\">\n<li>\n<h4><strong>Avoid risky password practices <\/strong><\/h4>\n<\/li>\n<\/ol>\n<ul>\n<li>NEVER re-use passwords.<\/li>\n<li>Do NOT use names or words that could be found a dictionary.<\/li>\n<li>Do NOT use words and numbers that could be associated with you.<\/li>\n<li>NEVER give-out your passwords to others \u2013 not even to family or friends.<\/li>\n<li>Do NOT store your account information in an unsecured document on your computer or the network.<\/li>\n<li>Never write your passwords on a paper or sticky notes.<\/li>\n<li>Do NOT use the \u2018Remember me\u2019 or \u2018Save password\u2019 option for sensitive sites.<\/li>\n<li>Do NOT share passwords via email.<\/li>\n<li>Never use official passwords for personal accounts.<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<ol start=\"3\">\n<li>\n<h4><strong>Good password management practices<\/strong><\/h4>\n<\/li>\n<\/ol>\n<ul>\n<li>Use a secure <strong><a href=\"https:\/\/www.empowerelearning.com\/courses\/best-password-practices\/\">password management<\/a> system <\/strong>to keep track of your login information across the web.<\/li>\n<li><strong>Change passwords frequently.<\/strong><\/li>\n<li>You can use weak but easy-to-remember passwords for websites that don\u2019t require heavy security; however, you should use <strong>only strong passwords for sensitive information<\/strong>.<\/li>\n<li>Use<strong> unique passwords <\/strong>for every account and <strong>vary the email addresses<\/strong> that you use for logging in.<\/li>\n<li>Have separate passwords for financial and confidential accounts.<\/li>\n<li>Implement <strong>two-factor authentication<\/strong> for sensitive accounts, such as network login and financial portal.<\/li>\n<li>If you really have to write down your password \u2013 use <strong>steganography<\/strong>.<\/li>\n<li>If you receive a password via email \u2013 which is fairly common during authentication &#8211; change the password immediately.<\/li>\n<\/ul>\n<p>As stated above, NIST has found stolen or weak passwords to be the cause of more than four-fifth, or 80% of hacking-related breaches. This makes password habits a major risk factor for your business.<\/p>\n<p><strong>\u00a0<\/strong><\/p>\n<p><strong>References<\/strong>:<\/p>\n<ol>\n<li><a href=\"https:\/\/www.empowerbpo.com\/courses\/best-password-practices\/\" rel=\"nofollow noopener\" target=\"_blank\">Best Password Practices<\/a> by <em>emPower eLearning Solutions<\/em><\/li>\n<li><a href=\"https:\/\/www.akamai.com\/uk\/en\/multimedia\/documents\/state-of-the-internet\/soti-2018-credential-stuffing-attacks-report.pdf\" rel=\"nofollow noopener\" target=\"_blank\">https:\/\/www.akamai.com\/uk\/en\/multimedia\/documents\/state-of-the-internet\/soti-2018-credential-stuffing-attacks-report.pdf<\/a><\/li>\n<li><a href=\"http:\/\/www.csid.com\/wp-content\/uploads\/2012\/09\/CS_PasswordSurvey_FullReport_FINAL.pdf\" rel=\"nofollow noopener\" target=\"_blank\">http:\/\/www.csid.com\/wp-content\/uploads\/2012\/09\/CS_PasswordSurvey_FullReport_FINAL.pdf<\/a><\/li>\n<\/ol>\n","protected":false},"excerpt":{"rendered":"<p>On Sept 5, 2018, law enforcement alerted Inova Health of a data breach. It appears that their billing systems were accessed by a bad actor using an employee\u2019s credentials first in January 2017, and then again, between July-October 2017. The breach has impacted 12,331 patients. An article by Databreaches.net points rightly at the source of [&hellip;]<\/p>\n","protected":false},"author":3,"featured_media":3740,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[6],"tags":[177,181,163,175,178,184,179,182,183,180],"class_list":["post-2499","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-infosec","tag-credential-stuffing","tag-csid","tag-data-breach","tag-nist","tag-owasp","tag-password-habits","tag-password-management-system","tag-password-policy","tag-password-protection","tag-steganography"],"_links":{"self":[{"href":"https:\/\/www.empowerelearning.com\/blog\/wp-json\/wp\/v2\/posts\/2499","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.empowerelearning.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.empowerelearning.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.empowerelearning.com\/blog\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/www.empowerelearning.com\/blog\/wp-json\/wp\/v2\/comments?post=2499"}],"version-history":[{"count":0,"href":"https:\/\/www.empowerelearning.com\/blog\/wp-json\/wp\/v2\/posts\/2499\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.empowerelearning.com\/blog\/wp-json\/wp\/v2\/media\/3740"}],"wp:attachment":[{"href":"https:\/\/www.empowerelearning.com\/blog\/wp-json\/wp\/v2\/media?parent=2499"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.empowerelearning.com\/blog\/wp-json\/wp\/v2\/categories?post=2499"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.empowerelearning.com\/blog\/wp-json\/wp\/v2\/tags?post=2499"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}