Cybercriminals commonly use compromised passwords in cyberattacks. For example, in ransomware attacks, compromised passwords have now surpassed phishing scams as the No. 1 way to gain access to the systems in which the ransomware is planted, according to F-Secure’s “Attack Landscape H1 2019” report. And compromised passwords is No. 2 on hackers’ list of tools to use to gain access to the systems from which they want to steal data, according to Verizon’s “2019 Data Breach Investigations Report.”
How Cybercriminals Get Passwords
Cybercriminals get passwords a variety of ways, including:
- Phishing scams. Digital con artists trick people into revealing their passwords.
- Data breaches. Hackers breach IT systems to get credentials and other stored data.
- Key-logging software or hardware records victims’ keystrokes —including any entered credentials — and transmits the keystrokes to cybercriminals.
- Dark web. Hackers buy compromised credentials being sold by other cybercriminals on the dark web.
- Automated brute-force password-cracking tools. Hackers try a known user ID (e.g., an email address) with numerous possible passwords using automated tools.
- Password spraying. Hackers know that people reuse passwords, so they try a victim’s known password with possible user IDs in an effort to access the victim’s other accounts.
With the exception of brute-force password-cracking, it doesn’t matter if the password is strong or weak. That’s because the cybercriminals already have the exact password.
So, What Should You Do to Protect Your Business?
So, what should you do to protect your online accounts and ultimately your company? For starters, you and your employees should continue using strong passwords for business accounts. This insight should not be used as an excuse to start (or continue) using weak passwords. Using unique, strong passwords is still an important line of defense in protecting your business. However, it is not the only security measure you should take.
Besides using unique, strong passwords, it is a good idea to use two-step verification (aka two-factor authentication) for business accounts whenever possible. With two-step verification, a second credential is needed to log in, such as a one-time security code. This adds an extra layer of protection that can prevent unauthorized access to your online accounts. It also helps defend against other types of cyberattacks. For example, Microsoft found that two-step verification blocks 99.9% of automated account takeover attacks.
Many popular online services now offer two-step verification. For example, Microsoft Office 365, Dropbox, and LinkedIn all offer it. If you would like additional information about setting up and using two-step verification, contact us.