An important part of cyber hygiene is understanding how cybercriminals may attempt to gain access to your critical data. It’s no surprise that bad actors target weak passwords.
According to the Verizon 2022 Data Breach Investigations Report, stolen credentials led to nearly 50% of cyberattacks last year. Once attackers have access to stolen passwords to access an individual’s account, they often walk away with a treasure trove of personal data, like banking details or other critical personal information. With this data, an attacker can carry out various malicious activities like stealing the individual’s identity, accessing their social media accounts, and spending money on their credit cards. As a result, it is crucial that strong passwords are used and frequently changed to prevent bad actors from gaining access.
There are numerous tactics that clever attackers use to steal passwords. One example is social engineering – or phishing – where cybercriminals trick users into providing their credentials over email or text messages, clicking on malicious links, or visiting malicious websites. Another is traffic interception, where attackers use software like packet sniffers to monitor network traffic containing password information and capture credentials.
Additionally, the Conti ransomware leak disclosed how the most successful ransomware group of 2021 used information stealers and credential stuffing techniques, where the threat actor purchases leaked credentials from databases on various darknet markets. Unfortunately, many people use the same password and email combination for multiple websites. If only one of these combinations ends up in a database, it’s easy for threat actors to reuse this sensitive information to gain access to their victim’s environment.
Attackers are constantly finding new ways to compromise user credentials, making it nearly impossible to create a comprehensive list of how they might steal a password. That's why we must learn to keep ourselves and our data safe online. A great place to start is by implementing passwords across accounts that are harder for attackers to steal.
What constitutes a strong password? Here are four simple tips for creating great passwords and better protecting yourself against a cyberattack.
o Phone numbers
o Company information
o Names, including movie titles and sports teams
o A simple obfuscation of a common word (“P@$$w0rd”)
Instead, use a combination of uppercase and lowercase letters and numbers and symbols, and create a password that’s at least 10 characters long.
3. Use different passwords for each account. When you use the same password for multiple accounts, you’re increasing the amount of information an attacker can access about you if they’re able to steal your credentials. Suppose one of your accounts gets compromised, and your username and password are posted to the dark web. In that case, cybercriminals who know how often passwords are reused will start to plug that information into other accounts until they unlock ones that use the same credentials.
4. Use a password manager to generate unique, long, complex, and easily changed passwords for all your online accounts. While following the password creation guidelines above is a solid start to improving your defenses against cyberattacks, don’t try to keep track of all of these passwords using a document or spreadsheet on your device (or a sticky note under your keyboard.) That is just inviting trouble. Instead, consider using a password manager as a more secure option. A password manager can generate unique passwords for each of your online accounts (or you can use your own), encrypts those passwords, and stores them in a local or cloud-based vault. Password managers make it easier to ensure you’re using the strongest passwords possible, as you only need to memorize a single password to access the vault.
While individuals can follow best practices for creating strong passwords, IT and security teams should take additional steps to safeguard their organization and its employees from compromised passwords. Strong passwords are table stakes.
If you’re a security professional, consider implementing:
Being aware of cybersecurity risks and attacker tactics is more important than ever in the workplace and at home. Using strong passwords, and changing them often, is a fundamental part of protecting personal information and digital assets.
Fortinet offers a wide range of resources to individual users and organizations to help further address security issues, such as weak passwords that can open the door to cyber criminals. Via the Fortinet Training Institute, Fortinet offers free training courses to help establish a foundational understanding of best cybersecurity hygiene practices. Fortinet’s Security Awareness and Training service is also available to organizations that want to ensure all their employees, regardless of their role, can identify threat methods and prevent vulnerabilities and breaches.
Find out more about how Fortinet's Training Advancement Agenda (TAA) and Training Institute programs—including the NSE Certification program, Academic Partner program, and Education Outreach program—are helping to solve the cyber skills gap and prepare the cybersecurity workforce of tomorrow.