Weak Credentials, the Bane of Cyber Security

Passwords remain one of the biggest problems of the modern digital world Users make the same mistakes, over and over Even high-profile users like the president of the United States makes the same mistakes

  • Passwords remain one of the biggest problems of the modern digital world
  • Users make the same mistakes, over and over
  • Even high-profile users like the president of the United States makes the same mistakes

Passwords remain the principal gateway to people’s data, but they are also the bane of cybersecurity efforts for one simple reason: They represent an element of protection controlled by the human side of the cybersecurity chain, and humans are the weakest link.

User names and passwords are the most common way for users to authenticate to online services, and that won’t change anytime soon. In most cases, though, people are the ones who choose those credentials. Unfortunately, humans have a poor track record in this regard, reusing old passwords or choosing weak ones. Worse still, they don’t even change default credentials in their IoT devices.

Some compromises had to be made to better secure authentication. Organizations now impose specific rules when choosing a new password, but online services can’t know if someone reuses a password from another service. Also, multi-factor authentication is slowly becoming the norm, drastically increasing security in many situations.

People don’t seem to learn

The same mistakes show up every year, despite efforts to educate people. A recent study showed that the most common password remains ‘123456’: on average, one in every 142 Passwords is ‘123456’.

Data breaches don’t seem to put a dent into users’ behavior, as a paper from Carnegie Mellon University shows. After a data breach, most users who actually do change their passwords chose a similar or weaker one.

Recycling is also a big problem: people use the same passwords (with small variations) across multiple online services. As soon as hackers breach a database of credentials, all online accounts using the same password are compromised as well.

Data from a LastPass report reveals 91 percent of consumers agree that using the same password or a variation of it poses a security risk. However, despite the intense global awareness of data breach attacks and online exposure dangers, 66 percent of respondents use the same password anyway, and 53 percent have not changed their passwords in the last 12 months.

Everyone is vulnerable

The latest high-profile victim of the habit of choosing poor passwords is none other than US President Donald Trump. Victor Gevers, security researcher and chair of the Dutch Institute for Vulnerability Disclosure, recently revealed that he could access the Twitter account of the president because he used an easy-to-guess the password: “maga2020!”. Two-factor authentication wasn’t set up.

To be fair, Twitter denied this happened, but the source of information and the fact that people choose their password badly makes this story plausible.

Finally, people make an assumption that’s always detrimental. They believe they have nothing that hackers want and they feel protected by simply being in a crowd. But hackers don’t really care about any of that. Credentials leaked today could very well be used in a phishing campaign two years later, when an unsuspecting user clicks on a link and installs malware. Even if hackers don’t steal a person’s data, they still benefit from access to the hardware itself, which can be used in much larger attacks.

The solution is not evident

People don’t change their cybersecurity habits easily. If they do, it takes a very long time. We have gathered a collection of useful tips for people who want to strengthen their password security and create strong and easy-to-remember passwords, but users should go a step further.

Security solutions such as the Bitdefender IoT Security Platform provide an all-encompassing umbrella to cover all the users’ needs. For example, in addition to assessing password strength, the platform has a brute force detection feature that recognizes if an attacker tries to log in too often.

But the platform is capable of much more than that, offering services that secure home devices across the board. It works best when integrated by ISPs into smart routers, providing users with required protection. It offers an undeniable value proposition for both consumers and ISPs, making it the ideal solution for smart homes.

After all, weak passwords represent just one of the many attack vectors consumers face every day. There’s no reason not to protect the rest of the environment and alleviate most of the other security issues, all in one swift swoop.