We use passwords every day, trusting them to ensure our data and systems are safe. But are they?
Unfortunately the answer is often “no”.
According to the Verizon 2020 Data Breach Investigations Report, over 80% of hacking attacks use stolen or guessed passwords – with attacks making use of system vulnerabilities or backdoors making up most of the other 20%.
Back in October it was reported that then-President Trump’s twitter account password had been “cracked” by a Dutch “ethical hacker” — for a second time. Apparently the passwords were “maga2020!” and “yourefired” – so it probably didn’t take an IQ of 197 to guess them.
Even the smartest people can make mistakes with passwords that compromise security – the FT reported recently that Mensa’s website had been hacked, using the credentials of a Mensa director. The personal details of up to 18,000 Mensa members may have been leaked as part of the hack.
Following last year’s attacks involving SolarWinds – thought to be the work of Russia-backed and perhaps Chinese hackers – it was reported that access to SolarWinds’ systems was being advertised on the “dark web” as far back as 2017. In 2019 a security researcher found that it was possible to access one of Solarwinds’ systems via a weak easily guessable password — “solarwinds123”. The SolarWinds attack itself made use of a backdoor injected into SolarWinds’ Orion software, but once inside the target networks, the hackers are believed to have made use of weak passwords to gain access to internal systems and data.
And last month, Ubiquiti, another network appliance supplier, notified its customers of “unauthorized access to certain of our IT systems” and advised all customers to change their passwords.
Worryingly, research shows that as many as 80% of firms may have no password policy in place – and that between 15% and 20% of passwords include the name of the firm in question, potentially making them easier to guess.
There seems little sign of password breaches stopping any time soon.