Safe password management is more important than ever as cybercriminals are increasingly targeting people with socially engineered attacks, many of which aim to steal credentials. This World Password Day is a great time for Australians to strengthen their passwords and ensure they’re managing their credentials safely and securely. Passwords truly are a critical line of defense between your data and finances, and a cybercriminal.
In a recent study, Proofpoint found that 42 percent of Australian working adults use the same password across multiple accounts. In fact, 25 percent of Australia respondents rotate the use of five to 10 passwords, while 17 percent use the same 1 or 2 passwords for all their online accounts. Neither of these options is advisable from a security perspective.
The dangers of password reuse have been made abundantly clear through the rise in successful credential stuffing attacks. Credential stuffing attacks allow cybercriminals to gain access to accounts through a combination of previously stolen credentials and password reuse. In these cases, the account information isn’t stolen directly, but instead attackers take usernames and passwords that have been previously stolen elsewhere and try them against other services. If an individual has had their credentials stolen and is using those same stolen credentials on another site, the attackers can access that account as well.
In addition to credential stuffing, cybercriminals regularly send credential phishing attacks that direct potential victims towards spoofed login portals for targeted organisations and use URL shortening services to help deliver payloads and to further obfuscate campaigns. We’ve also seen threat groups leverage sophisticated strains of information-stealing malware or keyloggers as well, often delivered through email phishing campaigns leveraging social engineering. Keyloggers will deliver even the most complex and unique passwords directly to the attacker.
Recommendations
We recommend that users differentiate all of their accounts with strong and unique passwords that are changed frequently (twice a year for personal accounts and every three months for business accounts). Some quick tips to create strong passwords include:
- Use a passphrase: Create a sentence and use the first letter or two of each word as your password, mixing in other types of characters.
- Leverage a password manager to create randomised passwords that are safely stored, encrypted, and accessible across all personal devices.
- Avoid including personal information when creating a password, such as birth dates or the names of people close to you, pets or sports teams.
When speaking with users, we’ve found that many typically reuse passwords or don’t change them on a regular basis because password management is inconvenient. Additionally, many find it difficult to remember increasingly complex passwords for the multitude of online services they are using today, which includes things like company’s intranet login, bank accounts, streaming services accounts, government services accounts, etc. For these reasons, we highly recommend a password manager.
For more information on our State of the Phish report, please visit: https://www.proofpoint.com/au/resources/threat-reports/state-of-phish