Man in server room holding a mask

The Weakest Link: Poor Password Practices Put Businesses at Risk (A Summary of the Specops Weak Password Report 2023)

Introduction

Data breaches continue to pose a significant threat to businesses worldwide, highlighting and emphasising the critical need for stronger password security measures. The latest Specops Weak Password Report emphasises the vulnerability of passwords as the weakest link in an organisation’s network and stresses the importance of robust password policies as a defence against cyber-attacks. The report draws insights from the analysis of over 800 million compromised passwords and live attack data to shed light on the alarming state of password practices. In this article, we will explore the key findings of the report, the impact of poor password practices, and the measures businesses can take to protect their data.

The Danger of Poor Password Practices

The unfortunate truth is that most individuals, both personally and professionally, do not follow password best practices. Many people resort to weak, memorable passwords or reuse them across multiple accounts. This makes organisations vulnerable to cyber-attacks. Specops Weak Password Report revealed that a staggering 41% of Americans rely solely on their memory to track digital passwords, leading to the use of simple and easily guessable passwords increasing the risk to their organisations.

The Importance of Compromised Password Checks

Traditional password policies that focus on length and complexity requirements are no longer sufficient to combat sophisticated password attacks. The Specops Weak Password Report highlights that a substantial 83% of compromised passwords meet the complexity and length requirements of regulatory standards, as well as noting that the most common base term found in passwords used to attack networks across multiple ports is still “password”. To enhance security, the report suggests that organisations must implement compromised password checks by cross-referencing credentials against a breached password list.

Brute Force Attacks and Password Construction

One common way cybercriminals gain access to sensitive data and networks is through brute force attacks. Analysing live attack data, researchers found that over 88% of passwords used in such attacks were 12 characters or less, with 8 characters being the most common length. Passwords containing only lowercase letters were predominant, indicating the prevalence of weak and easily guessable passwords. Notably, attackers continue to exploit common password base terms, underscoring the need for robust password protection strategies. The report suggests that “Organisations looking to prevent the use of passwords like these must make use of password construction rules such as implementing the use of passphrases, and length-based password aging to encourage memorable long passwords. Those requirements, paired with a custom dictionary or compromised password screening, would be the best defence against passwords that could help threat actors gain access to your organization’s network” – Specops Weak Password Report

Real-life Example: Nvidia Data Breach

The data breach at GPU manufacturer Nvidia serves as a real-life example of the consequences of weak password protection. The ransomware group LAPSUS$ targeted the company, stealing employee passwords and proprietary information. Analysis of leaked passwords revealed alarming trends, such as the use of easily guessable passwords and a lack of custom dictionary lists, which reject predictable passwords.

“During the breach, thousands of employee passwords were leaked. Specops Software obtained 30,000 of these leaked passwords and added them to our database of compromised passwords. Nvidia later shared that all employees were required to change their passwords. Now that these passwords are no longer in use, we can look at a few examples to pinpoint the factors that led to their compromise.

  1. nvidia
  2. nvidia3d
  3. mellanox
  4. ready2wrk
  5. welcome
  6. password
  7. mynvidia3d
  8. nvda
  9. qwerty
  10. september

Top 10 Base Words in Leaked Nvidia Passwords Finding “nvidia” in this list indicates the organization wasn’t making use of a custom dictionary in its password protections. A custom dictionary list is set up to reject common and predictable passwords during the password creation process. These can include passwords relevant to your organization, including name, locations, services, any relevant acronyms, and even months of the year, as per the “September” example above. The cyberattack on America’s largest microchip company understandably sparked concern for data security. But it comes as no surprise when you consider that commercial and business-related companies are the most affected by ransomware attacks, according to Outpost24’s 2023 Ransomware Report. Their data suggests that threat actors primarily target organizations that may have a higher capacity to pay a ransom.”

Themes and Patterns in Password Creation

Password creation often reflects cultural trends and world events, providing hackers with opportunities to target unsuspecting victims. The research uncovered several football-related terms in compromised passwords, coinciding with the FIFA 2022 World Cup in Qatar. Well-known players’ names, such as Grzegorz Lato and Pele, featured prominently in passwords, indicating users’ tendency to choose familiar terms as part of their passwords.

Conclusion

The Weak Password Report serves as a stark reminder of the risks posed by poor password practices. To safeguard their businesses from cyber-attacks, organizations must adopt stronger password security measures, including compromised password checks, custom dictionary lists, and passphrases. By prioritizing password security, businesses can significantly strengthen their defence against data breaches and protect their valuable information and digital ecosystem.

Cybata’s key takeaways

We agree completely with everything that this report states. But here are a few comments that we’d like to add:

  • Strong passwords should ALWAYS be used
  • You should NEVER use the same password on a different system (using the same login credential, usually email, and a re-used password hugely increases your risk of a breach)
  • Using a Password Manager or storing passwords in a web browser MUST be CONSIDERED by everyone.
  • Enable MFA at every available opportunity. Currently many systems come with this important feature switched off instead of on by default.

If you’d like to know more about what strong security and great password management looks like for your organisation – then please get in touch.