The moment a password is discovered, a virtual private network (VPN) becomes public quickly. In a report published last week, password management provider Specops Software revealed 2,151,523 VPN credentials exposed by malware over the past year.
One professional at the company revealed that many users aren't protecting, or even caring all that much about, a valuable network entrypoint based on the 2 million+ VPN passwords that were pulled from the company's threat-intelligence platform.
“If we look at some of the content of those passwords, that’s where we really start seeing where there’s still, unfortunately, a general apathy around security, and password security in particular,” Darren James, senior product manager at Outpost24 (which acquired Specops in 2021), stated.
This is Qwerty. The report's most popular passwords are certainly familiar to you; they are the usual consecutive numbers and versions of "password" and "qwerty." The top compromised password—found 5,290 times, according to Specops—is "123456.”
And, in fact, 5,290 represents progress—a "quite low" figure, according to the Specops team, given that the information contained almost 2 million VPN passwords. "This could suggest that end users may have generally been using unique, or even strong passwords for their VPN credentials," according to the Sept. 17 blog.
Even complex passwords can be stolen, according to James, when spyware known as keystroke loggers monitor logins and phishing emails trick users into disclosing VPN credentials.
According to a recent report by cyber insurance provider At-Bay, self-managed VPNs accounted for 63% of remote-access ransomware attacks in 2023.
While several VPN-specific discoveries suggested consumer-level vulnerabilities, given the linked email addresses, the analysis also revealed corporate risk. Several discovered passwords meet the length and complexity requirements for Active Directory in many organisations.
Specops researchers recommend blocking several of the alleged stolen business passwords, such as Abcd@123# and Lordthankyou2.
“Ultimately, it comes down to password reuse. Even if you’ve got a super-strong password, you need to be able to check that that password hasn’t become breached or hasn’t been stolen since the last time you’ve set it,” James added.