May 6th 2021 is being marked as World Password Day. The majority of cases investigated by 3B Data Security’s DFIR team result in user credential compromise being the initial attack vector.
Despite poor passwords being widely reported as the most common attack vector of the years, 3B Data Security has some spectacular examples of poor passwords, and password management. Examples such as P@ssword123 (still one of the most common passwords in use) for a domain administrator account, 1234567 for a web app CMS administrator account, or where the password and the username are the same. A password that had never been changed or service providers who use the same single password across all their clients.
Other poor password examples:
This is not just a common trend 3B Data Security has seen amongst small clients, but many of the worst examples of poor password management come from major corporate environments, global retailers, and national banks.
3B Data Security's Password Tips:
1. Don’t use any personal information, such as partner’s name, child’s name, other family member, pet’s name, place of birth, hobby or favourite sports team, or any other information that could be gathered from social engineering.
2. Don’t use any real words, including words with common changes or numbers added, e.g. @ for a, or cat123.
3. Create long passwords – use a minimum of 10 characters, a mixture of alphabetic and numerical characters, upper and lower case, and special characters.
4. Create an easy to remember phrase using three words or a phase, e.g @3birdsIntHeHand47!
5. Do not share passwords across multiple accounts, especially between high-risk environments such as social media accounts, and high value such as banking or email.
6. Adopt a password vault, where you can store all your passwords and create complex passwords that can be loaded directly from the vault.
7. Implement multi-factor authentication, such as rotating token, one-time passcode (OTP), or certificate or access card.
8. Never type your password on public or untrusted networks, such as public WiFi.
9. Do not leave passwords on your clipboard.
If you operate an environment where payment card data is present, the Payment Card Industry’s Data Security Standards has a minimum requirement for passwords which you must follow [Requirement 8]:
Ensure proper user-authentication management for non-consumer users and administrators on all system components by employing at least one of the following methods to authenticate all users:
Something you know, such as a password or passphrase
Something you have, such as a token device or smart card
Something you are, such as a biometric.
Passwords/passphrases must meet the following:
Require a minimum length of at least seven characters.
Contain both numeric and alphabetic characters.
Change user passwords/passphrases at least once every 90 days.
Do not allow an individual to submit a new password/passphrase that is the same as any of the last four passwords/passphrases he or she has used.
Set passwords/passphrases for first-time use and upon reset to a unique value for each user, and change immediately after the first use.
Secure all individual non-console administrative access and all remote access to the CDE using multi-factor authentication.
Service providers with remote access to customer premises (for example, for support of POS systems or servers) must use a unique authentication credential (such as a password/phrase) for each customer.
If you or your business requires any assistance with creating an effective password management policy, or for any other information security need, such as incident response and digital forensics, compliance and auditing, or testing and vulnerability scanning, please contact 3B Data Security.