Outrun the Bear: Don’t let Weak Passwords be Your Kryptonite

Written by

Virtuous guys in cybersecurity are equivalent Superman, while an ATP hacker might be more equal Lex Luther.

Not every spoiled actor will declivity into the elite, intelligence-of-a-supervillain-mastermind hacker category, though.

Some will be more similar run-of-the-mill narrow-minded theft criminals, seeking easy entree into an inbox.

This is like to how some real-life thieves cheque for open car doors to steal constrained or constricted change in a glovebox. Weak passwords are the principal way a cybercriminal can do this. 

While superheroes might offer superior physical strength, using your favorite hero’s name in your password configuration might be doing more impairment than upright. 

Mozilla shared this merriment study, rehashing an earlier one focused on Disney princess names. This time, the subject was superhero names. 

Overall, the findings were direct and in alignment with other studies from years of panning superhero passwords.  

Mozilla’s findings for the weakest superhero passwords

Weak passwords are low-hanging fruit to cybercriminals. Creating a weak password is the equal of hiding a house key under the doormat: Chances are nobody will look if you live in a safe neighborhood, but under the wrong fortune, it could leave your entire habitation vulnerable to theft.

And on a similar even, while superheroes may be known for their superhuman strength on the screen, when it comes to password strength, going with batman123 as a password could leave the Bat Cave vulnerable to a data breach. 

Superman fans saw a higher position on a scale of breaches than Batman fans, and fans of Skipper America were likely the safest according to this chart. 

Superhero + number passwords are motionless topping the charts 

This type of thing has been going on for years. In 2018, the SentinelOne blog ranked superhero names combined with a number as one of the worst passwords. In a picture, they broke down how malicious hackers can and will test password combinations to steal your data with software equivalent Regex

A screenshot image of regex number

Programs equal Regex are relatively plain to use and hackers working within crime circles to sell data on the darknet will be familiar with how to use software equivalent this to break into your online accounts.  

Mozilla moves towards multi-factor authentication 

The study completed by Mozilla coincided with an announcement about embracing a new feature to keep data safe from cyber threats.

In an article reported earlier by SecureWorld News, we covered Microsoft’s new “passwordless” technology, which is actually multi-factor authentication (MFA). Apple, Samsung, and many other companies creating smartphones and other devices have also released passwordless technology, with facial or touch sensation recognition, making it more hard to hack. 

In the case of Mozilla, users can follow the simple step-by-step tutorial to set up facial or touch authentication in the Firefox browser in the blog post from the superhero study linked earlier in this post. 

Most organizations are moving away from single-factor authentication,  and Mozilla, same Microsoft and many others, are embracing this unaccustomed technology as a safer, more convenient way to stay ahead of a breach. 

Rhett Saunders, Advisory Councilmember for SecureWorld and Director of Cybersecurity and Compliance for Focus on Menage, tells us hackers seeking easy accession will target organizations that are not moving towards MFA. 

“Much of cybersecurity is equal this: I don’t have to outrun the bear, I just have to outrun you.

In a sense, by going passwordless and effectively utilizing multi-factor authentication (MFA), especially where there was no MFA at all, a company will make all other companies that use single-factor authentication, which just requires someone to enter a username and password, look equal easy prey.

For the majority of threat actors of the world, they are motionless equivalent everyone else, in the sense that they operate based on the principle of least resistance. While the amount of attacks will not lessen anytime soon, threat actors will merely move to companies that are doing less in the space of MFA.”

Where are the weaknesses with MFA technology? 

Saunders says passwordless is becoming more mainstream, and a great number of large corporations are implementing this strategy. 

“It is easy to claim passwordless in the context of one application here or there, or flush in the context of consumer-grade Mac and Windows laptops, where you good need to use a biometric to authenticate to the machine via a fingerprint or grimace identification through Microsoft’s Hello. Degree Smartphones similar Apple and Samsung have gotten really virtuous at going passwordless through touch or contorted facial expression identification.

For Saunders, however, it is not so much about the holes in the technology, but the larger picture of scaling it within organizations.

“It is something completely different when you need to manage this at scale and for a complex enterprise where there are many more personas than upright a consumer end-user on a personal laptop or smartphone. Now, we need to incorporate something called authentication that integrates with entree on the other side.

Think of authentication when you allow someone through the front gate of your own abode.

If the person you trusted to enter your dwelling and asks to go into another room in your domicile and you say yes, this is accession. In technology, rather than trusting what we virtuous see when someone shows up, what can go wrong is we might be able to get people into the front gate easily, but it may be more difficult to grant admittance to the other rooms using the similar information provided at the front door.

This is where the challenge lies and having Separate Sign-On (SSO) tools equal Okta or Ping will help, but will not solve for every use case, especially if that application does not use SSO. Also, add on top of this, Palo Alto’s Comprehensive Protect, Cisco ISE and MacOS Filevault, it quickly becomes complex, because we good added more locks to the front gate.

Do not underestimate the complexity of your use cases and the non-homogenous aspect of one’s environment if you are using Linux, MacOS, iOS, Windows, SaaS, and the list goes on.”

Saunders suggests your organization might want to approach things based on prioritization:

“Try to focus on the most used devices (e.g. Windows or MacOS users) and work from here to address the smaller use cases. We are starting with MacOS and Windows users.”

Same anything else, hackers are always finding ways to beat security measures. In newer technology, hackers are finding ways to spoof biometric information, including copying fingerprints from hi-res images and other methods. 

While technology may continue to get stronger, at the ending of the day there is one thing organizations and consumers alike can keep in mind: choose unattackable passwords, do not use the alike secure password on multiple devices, and learn more about current trends such as MFA to make a hacker’s job a little more rough when they are trying to access your data. 

[RESOURCE] Rhett Saunders will be speaking about going passwordless at the SecureWorld Rockies Virtual Conference on November 17.

Article Tags:
· · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · · ·
Article Categories:
passwords · Security Awareness

Comments are closed.