Recently, Specops Software released its first annual Weak Password Report, an analysis of over 800 million breached passwords.  The findings revealed a lot, including the fact that simply following password security best practices may not be enough in an increasingly volatile cybersecurity landscape.

To learn more, VMblog spoke to Darren James, Head of Internal IT at Specops. 

VMblog:  Are typical password construction best practices - like choosing passwords with a certain amount of characters, symbols, etc. - enough to remain safe in today's volatile cybersecurity landscape?

Darren James:  Absolutely not. Specops recently released our first annual Weak Password Report where we analyzed 800 million breached passwords in order to identify current password security trends, and the findings showed that traditional password construction best practices are no longer enough to protect accounts and keep data secure. For example, 41% of passwords used in attacks are 12 characters or longer and 68% include at least two character types. So, while not using your mother's maiden name or the name of your cat might be a no-brainer (though not for everyone!), you are still not protected even if you add two exclamation points with an underscore.

VMblog:  What can companies do NOW to remain secure?

James:  With some of the most high-profile cybersecurity incidents of the last two years involving passwords, such as last year's Colonial Pipeline breach, it's imperative that organizations implement password policies to block compromised passwords and utilize additional authentication methods to ensure the security of sensitive business data and accounts. I can't stress enough that NOW is the time to really take action. A few additional actions companies can take include continuing to enforce password length requirements - encouraging passphrases rather than simple passwords, implementing user verification at the service desk, and auditing the enterprise environment to highlight password-related vulnerabilities. Multi-factor authentication is also critical to ensure that accounts can't be accessed even if an employee's password is breached.

VMblog:  Despite recommendations, what password bad habits are you still seeing?

James:  Through our analysis of known compromised passwords, it's become obvious that hackers today don't have to go to great lengths to find someone's information - they can find your hometown, the name of your first pet, and where you went to school just from a quick glance at social media. Yet, we still see people using easily accessible information as part of their passwords, in addition to easily guessable passwords like "password123."

Additionally, we see people using the same password across multiple accounts, not just their work but their social media, banking, etc. These passwords are extremely vulnerable when they have been reused across various personal and professional platforms, and tend to follow typical patterns and themes at the point of creation. This makes it more likely that they end up in leaked password dumps which are then used in brute force attacks on corporate networks - because hackers know you're likely to reuse passwords.

VMblog:  It's no surprise that password-related attacks have been on the rise, but despite the publicity of this issue over the last year, why do you think people still fail to choose strong passwords and implement other measures to guard accounts?

James:  There are a multitude of reasons for this, but a primary reason is people tend to have too many passwords to remember across work and personal accounts. Our own research has shown that most users report having to remember at least 11 passwords for work as well as at least 11 passwords at home - a number that makes it impossible for those to all be unique if the person is relying on their memory. Second, I see a lot of IT departments relying on end-user education only rather than choosing tools that help enforce security best practices for them. While an engaging security training program is critical to helping employees recognize potential red flags, it is equally important to have tools in place that enforce cybersecurity protections in a user-friendly manner.

What tools should every business consider to help enforce good password practices? For Active Directory passwords, a 3^rd party password filter that helps block weak and compromised passwords. Outside of Active Directory, implementing an enterprise password manager, which can make it easier to generate long, unique, random passwords and eliminate the need for employees to remember a multitude of passwords, is a good idea.  

VMblog:  Are passwords the weakest link in an organization's network or the employees?

James:  The answer is both. People create passwords, so they are only as secure as people make them, and often that means they aren't very secure at all. As far as choosing a "secure" password, we recommend choosing passphrases rather than single words since these are more difficult to guess. But since passphrases can still be reused and leaked, it's important that businesses implement additional safeguards, such as implementing multi-factor authentication and blocking employees from choosing passwords that are known to be compromised. In addition to making businesses more secure, this also lifts the burden off the user by making it easier to choose better passwords.

VMblog:  How have hackers adjusted their tactics to keep up with evolving password requirements?

James:  Password-related attacks have been on the rise for the last two years, with stolen user credentials at the root of several high-profile and disruptive attacks, such as those on Colonial Pipeline, and others. Yet, despite the rise, hackers are still relying largely on the same tactics they've used for years - social engineering and stolen credentials. The pandemic has certainly made some of the most common tactics easier, including social engineering at the help desk. We've seen this happen in the wild in last year's breach of EA Games, in which a group of hackers stole a large amount of data and broke into the company by tricking an employee over Slack to provide a login token.

VMblog:  What other security issues keep you up at night?

James:  Human nature - we are just too trusting! That's why it is so critical for companies to introduce new safeguards to protect all of us from ourselves - things like multi-factor authentication, blocking weak and compromised passwords, and implementing more identity and access controls.

VMblog:  Microsoft and others have recently introduced "passwordless" options to guard accounts. Are passwords going away?

James:  We've been hearing from several tech companies that the passwordless future is already here, and yet passwords are still the most popular form of authentication used for our devices and systems. With that said, could the death of passwords be something on the horizon? Sure, but not for a very, very long time! If we think about it, passwords fundamentally are the easiest way to implement security, the cheapest to develop, and the easiest to use. And, even as other forms of authentication have been introduced - such as facial recognition for phones - passwords are still the backup when those newer methods fail. Passwords may not be perfect, but they've been guarding our accounts and systems for over 60 years and I believe they will continue to do so for the foreseeable future.

##