Ah yes, the password. I have written about this nemesis of ours on who knows how many occasions. But no need to rehash the past. Instead, this morning as I was perusing the news headlines on what to write about, I came across an article that does not harbor too much on the mistakes that people when creating or resetting passwords, but rather it discusses more about what the Cyberattacker does from their standpoint when they want to hack into something.
Apparently, some time ago, a listing of passwords was leaked
out to the public. But this is not any ordinary file - it was 100Gb in size and contained well over
8.4 billion different passwords that people use on an almost daily basis. This
file that was leaked to the public is known as “RockYou2021”. Through research
conducted by Rapid 7, the following was discovered:
*Over a year long period, Cyberattackers used that list to
try break into various servers on a global basis.
*From this list, there were 512,000 variations of these passwords
that were created.
*The above stats prove that the Cyberattacker is taking the
easy route in order to get passwords that work. For example, the days of
conducting dictionary style attacks in order to get passwords are now over. Instead,
password lists are now available on the Dark Web for pennies on the dollar, and
the Cyberattacker can now use these instead to launch Credential Stuffing attacks.
These passwords are real and valid.
The bottom line here is that the Cyberattacker is not producing
any news to get passwords. Just get them from somewhere, and off you go.
In fact, since many people around the world still use reuse the
same password, or produce easy to guess modifications of it, cracking into a
database and heisting passwords only takes a very short period of time now. We
are not talking about hours; we are talking now just minutes.
For example, back in 2021, a Cybersecurity researcher based
in Israel claimed that he could heist network-based passwords stored in
Wireless Access Points in just under a few minutes.
Part of the reason for this is that many of the end users
who visited the public places where these Wireless Access Points were at simply
used their smartphone numbers as their passwords, with or without the dashes. More
information about these discoveries can be seen here at the link below:
https://www.darkreading.com/endpoint/a-common-password-list-accounts-for-nearly-all-cyberattacks
As mentioned previously in this blog, many people do not take
the time to create a strong password. They want to create an easy ones to
remember, some of the following are a few examples:
*123456
*123456789
*qwerty
This can be clearly seen in the diagram below:
(SOURCE: https://www.darkreading.com/endpoint/a-common-password-list-accounts-for-nearly-all-cyberattacks)
It should be noted here that many scientific studies with regards
to password usage have focused primarily upon the end user. This study conducted
by Rapid 7 (as noted in this blog) is one of the first of its kind to
focus on the kinds of passwords that the Cyberattacker likes to go after and uses
more quickly.
In fact, password guessing is still one of the favored
threat variants that exists today, according to another Cyber firm known as
ESET.
These studies have also further indicated the Cyberattacker
is taking the least path of resistance when it comes to password cracking. But,
interestingly enough, hackers are not using the entire RockYou2021 list. Instead,
they are just taking a handful. Why is the case?
It has been hypothesized by Cyber researchers that since the
bulk of the passwords are the same as the ones as listed above or some easy
variation of it, there is no need to use every password on that list (plus it
would take a very long time to go through all of them, even if automated tools
were being used). Simply put: A small, representative
sample of passwords can and does represent the entire set of them.
The Rapid 7 study also examined the kinds of passwords that the
Cyberattacker uses when trying to gain access to those Privileged Accounts. Examples
of these include the following:
*administrator
*user
*admin
*nproc
In other words, the Cyberattacker is the old-fashioned concept
of using “a little a lot.” And if it is
paying off, why not use this approach? There is no need to waste extra time and
resources to try different, more difficult variants of the above passwords.
But now the question that comes up is out of those 8 billion
password, how does the Cyberattacker know which ones to pick? It all comes down
to experience, being lucky, and the laws probability that something will work.
My Thoughts On This:
So now, you may be wondering, “OK, what is the bottom line
here?” The bottom line here is that you do not want anything to hacked into,
whether it is professional or personal. I am not going to say again here what should
do, a simple Google search will reveal what you need to do. You can find all
those checklists there.
But what I do recommend is that you make use of a good
Password Manager, or get your organization to try to use some SSO based
technology like Biometrics, where Passwords are no longer needed. Then that
way, password security should no longer be an issue.
No comments:
Post a Comment