Ahhh, passwords. The bane of our collective existence. Yes, we know we need them to protect our private information. At least until something better comes along. But there are SO many places online we need them and it’s SO difficult to keep track of them all! It’s easiest to just keep them super-simple and reuse them over and over, right? Well, you know exactly what I’m going to say, so I won’t bother. And here’s more evidence as to why that’s a huge no-no: A year-long study that was just completed shows that hackers know all about our lazy ways and are barely lifting a finger to get exactly what they want.
The proof is in the (weak) password
In the study conducted between Sept. 2021 and Sept. 2022, the security firm Rapid7 monitored the RDP and SSH login attempts to several hundred “honeypots” (decoy accounts) they set up. (If you’re interested in the nitty gritty details, you can download the full report here.) Of all the authentication attempts to their honeypot accounts – and there were tens of millions of attempts — only 512,002 different passwords were even tried. Compare that to the 8.4 billion passwords that were leaked in the rockyou2021.txt list. (And yes, all 512,002 were on that list). That’s less than 1/100th of a percent. Additionally, just a handful of those half-million passwords and usernames dominated the attempts. Clearly the passwords that they tried were the most common on the list. (And the handful at the top of that list, the most common of the common. Passwords like “user”, “admin”, “password” and “123456”.)
Hackers know that users are lazy when it comes to the password game, so why should they exert extra energy if they don’t have to? While the research didn’t study how successful cybercriminals are in the real world with these common passwords, it seems safe to assume they must have had some degree of success. Otherwise, they wouldn’t have made tens of millions of attempts over a year’s time without changing their strategy. And using bots to attempt access using only a small number of guessable passwords repeatedly certainly seems cost-effective. Why should they waste the time and money trying something different if that works just fine? As the saying goes, “If it ain’t broke, don’t fix it.”
The “fixing” needs to happen on OUR end.
Batten down the hatches
Ok, you know how this works. This is the part where I spell out what you – and your staff – should be doing to better protect your data. I’m sure I sound like a broken record. My apologies; just part of the job, folks. So here goes…again.
It’s (past) time for everyone to get serious about a few things:
Regular (preferably quarterly) cybersecurity awareness training is essential. Users don’t know what they don’t know. Teach them.
Encourage staff to use password managers. It’s the best way to get random, unique and complex passwords that are both generated and saved automatically. (Proof you actually can be both lazy and safe at the same time.)
Check your systems – both internal and external-facing SSH and RDP servers – for those commonly used passwords (run it against the RockYou2021 list and change any it finds).
Internet of Things
Don’t forget about any IoT devices both in the workplace (smart security systems, thermostats, etc.) and that your staff use at home on or on their person. Those all have passwords as well!
The moral to the story
It’s pretty simple. We need to stop making it so easy for the bad guys to steal our stuff. Just as you shouldn’t leave the key to your house under the doormat when you know there are burglaries in the neighborhood, you shouldn’t make your password so easy to guess. Your data is as valuable – if not more so, in many cases – as the contents of your home. Protect it with at least the same amount of energy.