How Employee Credential Habits Will Get You Hacked
There’s a security failure that at least 25% of your employees are engaging in right now, and it’s highly likely that you’re guilty of doing it too. Employee credential handling and weak passwords are a bad habit that will put your company at risk of being instantly hacked, rendering all of the money you’ve spent on security useless.
Hackers can buy their way into your network right now if they want to for around $100. One of the most concerning elements of these security breaches is that they often go undetected. In many cases, hackers are able to come and go inside your information systems at their leisure without raising any red flags in IT, even when protected by the most sophisticated intrusion detection systems.
How Hackers Perform Data Breaches Using Employee Credentials
These data-breach and spear-phishing attacks have been responsible for over a trillion dollars of direct and indirect losses over the past decade. One common type of attack, called “Credential Stuffing,” refers to the practice in which hackers test employee’s usernames and passwords against remote access systems such as VPN, Remote Desktop, or Cloud email services (Microsoft 365 or Google Apps). Since many companies use employee email addresses as usernames in their business system logins, hackers are often able to find this first piece of employees’ login credentials easily.
So, how do they get the second piece of the puzzle, your employee’s password? Unfortunately, hackers are able to buy this information on the dark web from a database of credentials that have been stolen from previously hacked, third-party websites. In fact, one of the primary monetizable products of a data breach these days is passwords associated with email addresses. Many popular websites have been breached and had their own password databases stolen, including companies like LinkedIn, Adobe, Quora, and thousands of others. The information from these breaches is compiled into searchable databases, making it possible for hackers to simply purchase every password ending in your domain name along with the passwords that were associated with those addresses on the site. This means that if any of your employees ever used their corporate password on a third-party website, there’s a high likelihood that hackers can purchase this information and then log directly into your VPN or cloud services with it.
Hackers use sophisticated, password-guessing tools that will recognize the common parts of multiple passwords for a specific email address. For example, let’s say an attacker buys a user’s email address and they get the following passwords from six different data breaches:
These password-guessing tools instantly identify the common term “bruinsfan” and determine that the user often combines this term with years or names of sites. In just a few guesses, hackers can determine that the user’s Microsoft password, for example, is “bruinsfan!microsoft” based on these observed patterns in their password history. Keep in mind that this process is automated by software, not taking any human time or skill.
Now, think about your own password habits. Do you ever partially re-use passwords? If you’ve been guilty of this practice, it’s highly likely other members of your team have as well, making your business vulnerable to a serious breach.
Protecting Your Business From Security Risks
Finding a way to protect your business can be difficult since there is no way to control password re-use among employees. While you can train employees not to-reuse passwords, it’s nearly impossible to audit and enforce, especially when third-party websites are involved. In fact, traditional password policies such as changing passwords every 90 days or requiring extremely complex passwords are what created this problem to begin with. Once employees have gone to the trouble of remembering a complicated new password, they think it is strong and choose to re-use it everywhere. Because of this, multi-factor authentication (MFA) is the real solution to credential stuffing.
Until you’re able to invest in MFA across all information systems for your business, the interim solution is employee security training and trust. It is crucial for employees to update their corporate password and stop re-using it on third party websites. When creating these new passwords, remember that longer is better than complex.
While many people believe using a complex series of letters, numbers, and characters is ideal, in reality, employees’ passwords should contain simple, original sentences. These passwords are very typable, have many characters for security, and are easy for employees to remember. The final key detail is to make sure you made up the password yourself; it can’t be a song lyric or a phrase from a book because if it already appears anywhere in print, hackers can run it in a key-space attack to crack it.
How Connetic Can Help
Connetic solves IT; it’s as simple as that. The Connetic team has the unique training, knowledge, and expertise necessary to permanently resolve these types of password vulnerabilities and protect your company and customer data from a potential breach.
Connetic achieves superior data security for their clients by implementing simple, yet effective, multifactor solutions on all of their information services, including cloud service, traditional server-based services, and bring-your-own-devices. Learn more about Connetic’s approach to data security: CLICK HERE.