Why we keep talking about password security

Protecting your credentials is one of the most important things you can do to defend yourself from ransomware and other cyberattacks. There are thousands of articles on password managers, best practices, and multi-factor authentication. Network domains, SaaS applications, and other systems often require complex passwords in the credential set, and even the most basic computer user has been told not to share passwords. So, why are we still talking about this topic?

The 2023 Verizon Data Breach Investigations Report (DBIR) reveals that threat actors value credentials more than any other data type, including personal data and sensitive information like Social Security numbers. Stolen credentials account for 44.7% of all data breaches, up from 41.6% in 2022. The same report finds stolen credentials to be the most common entry point in data breaches, and the most compromised data type in breaches occurring in North America (67%) and EMEA (53%).

The most dangerous stolen credentials are those that remain active after they have been stolen. Attackers want to log into the targeted system as authenticated users. This allows them to traverse the systems as an authorized user and often extends the length of time they can hide from intrusion detection. Current credentials are especially important to nation-state actors and big-game hunters.

Ways credentials are used in cyberattacks

Obsolete credentials may be less valuable, but there are still several ways for attackers to use old login information. This is underscored by the fact that stolen data is almost always sold to other attackers, and larger data sets are often sold at higher prices. Here are a few different ways that credentials are used in cyberattacks:

Unauthorized access: The most obvious use of a credential set is the one mentioned above. Criminals use login information to access a system and proceed with the attack.

Credential stuffing: This is an automated attack that attempts to log into web applications by rotating through sets of stolen credentials. It doesn’t matter if the credentials are current or outdated, because the credential set is being used on many different web applications.

It may help to think of your user ID and password as a single physical key to a locked door. Imagine a criminal with a bag of keys just like yours, trying each one on the door to see if he can get in. The door could lead to a bank, retailer, healthcare portal, HVAC management system, or any other online service. If the key works, then he’ll have access to everything your key will open. If the key doesn’t work, it really doesn’t matter to him. He has millions of keys and an army of bots using them on many different doors at the same time.

Multiple surveys reveal that passwords are often reused and shared, which means there’s a fair chance that some of those stolen credentials will work on more than one system. Credential stuffing is a very common attack.

Password spraying: This attack is like credential stuffing, but it rotates through a list of user accounts paired with the same password for all. In our handy criminal-door-key scenario, the key represents a single password rather than a complete credential set. Once the criminal has tried one key on all the doors, he returns to the first house with a different key. This is most effective on systems that use default passwords, like routers, CCTV cameras, and other smart devices. This attack is a good example of why criminals value a verified username, even without a password attached.

Brute force: Many people compare this attack to using a battering ram on a door, but I find it more akin to picking a lock. A brute force attack attempts to log into a system by pairing a username with an automated attempt to discover a password by “systematically trying every possible combination of letters, numbers, and symbols” until the attack is successful. Most of these attacks start with wordlists, common passwords, and smart rulesets before attempting to construct the password using all possible combinations. Given enough time, all brute force attacks will work. If the passwords are complex and not already in a wordlist, a brute force attack could take years to finally guess the correct password.

How to defend against these types of attacks

Although there are significant awareness and enforcement efforts around password security, we still see a significant number of attacks that start with weak or exposed credentials. The recent ransomware attack on the City of Dallas is just one example of how much a criminal can do with a stolen set of credentials. Protecting your credentials must be a priority in your security plan. Implementing best practices in password management is an important first step, but it’s not enough. Companies should deploy multi-level protection that defends inboxes, applications, endpoints, and the network edge.

You can defend all of these threat vectors and protect your data with Barracuda's cybersecurity platform. Our solutions protect all attack services including, email, networks, and applications. No other company offers such complete cybersecurity solutions.