Hackers Bypass Weak Organization Passwords with Ease

Hackers Bypass Weak Organization Passwords with Ease

By Greg Tavarez

Even with other forms of authentication such as biometric and multi-factor authentication, passwords are still relevant and remain the most widely used form of authentication. Strong passwords are an effective tool in protecting personal data. “Strong” is the keyword here, however, and most people do not use passwords that would fall under that “strong” category.

In fact, a Specops Software study found 88% of passwords used in successful attacks consisted of 12 characters or less, with the most common being eight characters.

Specops used Nvidia’s 2022 data breach as an example. In the breach, where thousands of employee passwords were leaked, many employees had used passwords such as “Nvidia,” “qwerty” and “nvidia3d.” Outside of Nvidia, other common base terms used in general passwords were “password” “admin,” “welcome” and “p@ssw0rd.”

It’s baffling to see these types of passwords used as a would-be defense against hackers. No wonder hackers bypass passwords related to the organization with ease. And users will likely continue to resort to these common passwords even with warnings passed on to them as well as end-user security training.

Funny enough, depending on how it is looked at, strong passwords that are compliant with NIST, PCI, ICO for GDPR, HITRUST for HIPAA and Cyber Essentials for NCSC standards contributed to 83% of compromised passwords. (Maybe the compliance standards need to be revisited?) Especially if what they call “strong” passwords still need to be used in conjunction with other security measures and good security practices to ensure that account and personal data are safe.

As for security teams, they naturally feel left in the dark, especially the more end users they have.

To protect corporate data, organizations need to protect Active Directory, the universal authentication solution for Windows domain networks. Protecting Active Directory is effectively accomplished by using third-party password security software to strengthen Active Directory accounts. Organizations need to look for a solution that blocks the use of compromised passwords and commonly used terms with custom dictionaries.

“While organizations are making concerted efforts to follow password best practices and industry standards, more needs to be done to ensure passwords are strong and unique,” said Darren James, Product Manager at Specops Software. “With the sophistication of modern password attacks, additional security measures are always required to protect access to sensitive data. Companies should put strong password policy enforcement in place, including custom dictionaries related to the organization.”

Edited by Alex Passett
Get stories like this delivered straight to your inbox. [Free eNews Subscription]

MSPToday Editor

Related Articles

What You Need to Know About KnowBe4's New PhishER Plus Threat Intel

By: Alex Passett    6/20/2024

Renowned phishing awareness company KnowBe4 is rolling out additional features for its PhishER Plus offering - PhishER Plus Threat Intel packs one hec…

Read More

DataStrike Acquires MiCORE, Creating SMB Data Infrastructure Powerhouse

By: Greg Tavarez    6/18/2024

DataStrike recently completed the acquisition of MiCORE in a transaction that will form a large MSP specializing in data infrastructure services for S…

Read More

Boldy Defending Businesses: Huntress Secures $150M in Series D Funding to Strengthen its Security Capabilities

By: Alex Passett    6/18/2024

Huntress has officially announced the closure of its successful $150 million Series D funding round. This was led by Kleiner Perkins, Meritech Capital…

Read More

MSPs Round Up Cyber Threats with Compliance Scorecard's CaaS Power-Up

By: Greg Tavarez    6/18/2024

MSPs can now breathe a sigh of relief as Compliance Scorecard announced an upgrade to its Compliance-as-a-Service, or CaaS, platform.

Read More

Pia's Usage-Based Model Optimizes MSP Resources

By: Greg Tavarez    6/18/2024

Pia's recently announced usage-based model means MSPs will only be charged for the resources and automations they actually leverage.

Read More