🐡 Your password (might) suck
Passwords have a fascinating history. The first digital password was created over 60 years ago in 1961, and we still use it everyday in the modern world! Swipe a pattern and each zig-zag pleases the password gods. Scan your thumb, better yet use face ID. Be sure to use at least one capital letter and a number, but every time you type Password1!, the password angels weep.
🔑 Halt! Who goes there? FRIEND or FOE?
🔒 Credential-Stealing Malware
🥷🏻 Cipher Samurai
🔑 Halt! Who goes there? FRIEND or FOE?
Passwords go way back. Ancient civilizations had password systems way before the digital era. This was used to permit access to secure places around kingdoms and castles.
Upon entering a medieval castle, the sentry would validate your identity by saying “Halt, who goes there? Friend or foe?” By stating your username and that you bend your knee to the king, you will be granted passage. Recite otherwise, and you may be met with an unfriendly arrow.
Feudal Japan used passphrases, a group or sequence of words, that validated access to royal grounds. They changed this access code often, sometimes daily, and based it on poetry so a Samurai would have an easy time remembering these invisible access badges.
The first digital password was created in 1961 by MIT computer science professor Fernando Corbato. Corbato was working on a project to create a time-sharing computer system that would allow multiple users to access the same computer at the same time. He realized that he needed a way to keep each user's data separate, so he came up with the idea of using passwords.
How effective are passwords? Use your dog's name - no one will know. Let’s capitalize the first letter, and try adding a secret number! It's probably the number one, and it’s probably added to the end of your doggey's name. Ruh-roh, passwords are predictable. The average person in 2022 has 100 passwords. Many people reuse passwords across different apps and platforms.
🔒 Credential-Stealing Malware
Stealing credentials is a lucrative business. The data that is harvested is commonly used for an attack called credential stuffing. Quoting the Open Worldwide Application Security Project Foundation:
Credential stuffing is the automated injection of stolen username and password pairs (“credentials”) in to website login forms, in order to fraudulently gain access to user accounts.
Since many users will re-use the same password and username/email, when those credentials are exposed (by a database breach or phishing attack, for example) submitting those sets of stolen credentials into dozens or hundreds of other sites can allow an attacker to compromise those accounts too.
Credential Stuffing is a subset of the brute force attack category. Brute forcing will attempt to try multiple passwords against one or multiple accounts; guessing a password, in other words. Credential Stuffing typically refers to specifically using known (breached) username / password pairs against other websites.
— OWASP
The cybersecurity industry is facing a significant threat from information-stealing malware (Over 400,000 corporate credentials stolen by info-stealing malware.), which has achieved significant infiltration into business environments. These malware families are offered to cybercriminals on a subscription-based model, enabling them to conduct malware campaigns that can steal data from infected devices. The stolen information can include sensitive business credentials, authentication cookies, and corporate access to business applications, making it necessary for businesses to implement strict cybersecurity measures.
🥷🏻 Cipher Samurai
Enter the dojo, and let’s practice our craft. Here is the training regiment:
Use MFA - this is typically perceived as inconvenient. Getting an email to confirm your login, or using an authenticator app to punch in a temporary code will give you the strength of a thousand punches.
Set password guidelines and rules, and enforce them. This will bring honor and glory to your masters and students alike.
Don’t assume users understand the importance of a strong password practice. From clerks to execs, provide simple, clear, and regular training. Have compassion towards your fellow associates.
Be brave, oh, benevolent net defender!
Resources:
Bleeping Computer. Over 400,000 corporate credentials stolen by info-stealing malware.
