US President Trump, the United Nations, and Google have all earned themselves a position as some of the worst password offenders over 2018. Weak passcodes, the use of terrible passwords — such as “123456” or “QWERTY” –and a failure to change your account credentials on a regular basis have all, for years, been cautioned against for the sake of security.
Mayur Upadhyaya, Managing Director, EMEA at Janrain:
“Weak passwords fall victim to the same exploit as breached passwords: credential stuffing. This is an automated attack that attempts login to sites and applications with user credentials that have been harvested or by simply guessed. With so much organised cybercrime, these bad-actors acquire more breached passwords enabling them to build up more verbose cracking dictionaries that can be used on other sites. This is why password reuse puts consumers and those in high public office at risk. If an attacker happens to have the correct username and password of an account, there is a high chance that even the best-secured website or app will think it’s the real user.
It’s becoming more important for brands and organisations to invest in specialist centralised consumer identity platforms, so websites and apps are able to recognise suspicious behaviour. For example, if multiple unsuccessful login attempts occur in a short period of time, or if a user based in the US suddenly attempts to login from a foreign IP address.
Accounts should then require step-up authentication, meaning that the user is required to provide additional information to log in, or the account should be locked down completely to protect the user’s data. Solutions that can spot bots (automated attacks) trying to verify stolen credentials are slowly becoming tables-stakes in the market as these credential dictionaries reach billions.”
The opinions expressed in this post belongs to the individual contributors and do not necessarily reflect the views of Information Security Buzz.