By Sairaman Srinivasan, Chief Strategy Officer, Consortium for Technical Education (CTE)
One of the significant security issues organisations globally face in the cybersecurity landscape is weak and default passwords. These issues can affect organisations of all sizes and types, from small businesses to large corporations, non-profit organisations, and government agencies. According to various studies and reports, weak and default passwords are among the top causes of data breaches and cyber-attacks. The Verizon 2021 Data Breach Investigations Report found that 61% of breaches involved credential data.
Default and weak passwords are a significant threat to organisational cybersecurity. Device manufacturers and software vendors use default passwords that are often easy to guess, making it easy for hackers to access systems and devices. On the other hand, weak passwords are easily guessable because they are too short, simple, or widely used. Hackers can use various techniques to decrypt weak passwords, including brute force attacks, dictionary attacks, and phishing.
Addressing concerns around default and weak passwords
The primary risk associated with default passwords is their widespread availability and ease of access for potential attackers, making the devices highly vulnerable. These passwords are provided by device manufacturers and service providers as temporary access credentials during device installation or configuration.
When users or system administrators fail to change or reset the default passwords, their systems are vulnerable to attacks. Attackers can easily locate these default passwords on the vendor’s website or through trial and error, as they are often simple and commonly used words or numbers.
Unfortunately, many organisations have a widespread problem with using default or weak password practices. Passwords such as “123456”, “qwerty”, “admin”, “admin@123”, and “password” consistently remain among the most commonly used passwords. If these passwords are reused across multiple accounts, it becomes even easier for attackers to gain access to sensitive corporate information.
Furthermore, when devices and services with default passwords are connected to the internet, malicious actors can use simple techniques like credential stuffing and password spraying to exploit these vulnerabilities, gaining unauthorised access to devices. This can lead to significant consequences, including data breaches, access to sensitive information, financial loss, or even identity theft. Therefore, changing default passwords immediately after device installation or configuration is highly recommended and crucial. Selecting strong and distinct passwords to safeguard devices and accounts within the network is considered the best practice.
Implementing safeguarding measures
To start with, it’s crucial to take steps that can prevent a security breach resulting from vulnerable or default passwords. Therefore, organisations must develop a comprehensive incident response strategy, like encouraging users to use stronger passwords, enforcing a password policy that specifies the requirements for passwords, such as length and complexity, creating a password deny list to prevent users from choosing common, weak passwords, organising security awareness and training programs to educate users about the importance of changing passwords after a security incident and why it requires to deny access to users who have made a certain number of unsuccessful/failed login attempts.
To incorporate an additional layer of security, it’s critical that databases containing sensitive information are properly configured and that the residing data is encrypted. It is recommended that users regularly rotate their login credentials and implement multi-factor authentication (MFA) to ensure that an attacker cannot access user credentials, even if they have access to the account.
Implementing Two-Factor Authentication (2FA) aims to increase the security level beyond just using passwords alone, as passwords can be compromised. 2FA is a security mechanism where users are provided with two different forms of authentication to access their accounts. In the context of password security, 2FA entails using a second-factor authentication, such as a mobile device (to receive the OTP), in addition to the password, to verify the user’s identity.
Although 2FA is an effective security measure, it is partially infallible, and users should still take precautions to ensure that their passwords are robust, well-protected, and changed regularly.
The most significant danger to an organisation’s cybersecurity is weak and compromised passwords, which not only make it easier for brute-force attacks to occur but also, having weak passwords increase the risk of ransomware attacks. Therefore, using strong, unique, uncompromised passwords is crucial because implementing advanced security measures alone is not enough to safeguard organisational networks and systems.