Search This Blog

Powered by Blogger.

Blog Archive

Labels

Showing posts with label Password Breach. Show all posts

Overly Complex Passwords Could Weaken Security Measures

 


The creation and use of passwords is one of the areas where websites and mobile apps lay down rules for making them as safe as possible. However, a federal agency thinks some of the requirements do more harm than good to the industry. 

A new proposal from the National Institute of Standards and Technology (NIST) has been proposed to protect people's digital identities from fraud by developing some guidelines. One of them is banning password requirements, which cybersecurity experts have long considered obsolete. It is no longer necessary to request special characters, like "%" and "$," for instance, for some type of input. It is also no longer necessary to ask users to identify their children's favourite pet or their first pet as security questions.

First and foremost, it is important to understand why it is not only ineffective to change the password every six months but can make it more difficult to secure users' accounts. When people are forced to change their passwords every few months or so due to security restrictions, they tend to choose the path of least resistance by simply changing a couple of characters within their existing passwords to achieve maximum security. This indeed makes the user's new password easier to remember, however, it also means that hackers who have already accessed a user's system or have run into an existing password they might have used before can easily guess the new password. 

Passwords should be created with a combination of different character types, and they should be changed regularly, these are no longer best practices for password management. It is based on new guidelines that have been released by the United States National Institute of Standards and Technology (NIST), which is charged with developing and releasing guidelines that will assist organizations in keeping their data safe. It was the second public draft of the National Institute of Standards and Technology's Digital Identity Guidelines (SP 800-63-4) that appeared in September of 2024, making these guidelines the latest version that has been published.

For security purposes, it is much better to use strong, unique passwords for each account rather than rotating them as a means of achieving security. There are a variety of letters and numbers that can be used in this system, which means that not just words from the dictionary can be used, which can be picked up by an automated attack program. Furthermore, users should make sure that they don't use any variations on a specific theme in the passwords that they create; don't use variations on a theme (such as "password1" then "password2"). 

It is highly recommended that users always use passphrases instead of traditional passwords if they are really serious about their security. Passphrases are much harder for attackers to guess when compared to traditional passwords. Make sure to check out our blog on how to create a strong password by clicking here. For those who don't want to remember all of their strong unique passwords to keep their online accounts secure, it is recommended to use a password manager like NordPass. 

Because of this, it has become more straightforward to determine whether a password is effective, in comparison to complexity, by measuring its length. Under the guidelines, online services require users to create passwords that are a mix of character types, however, several analyses of breaches of password databases have found that they do not have as great an effect as initially thought. Due to the vast number of online accounts it manages, maintaining a unique password for every single one of them can still be a daunting task, even if users keep their passwords short and memorable at the same time. 

Password managers can play a very important role in preventing this from happening. In addition to this, this type of tool also achieves the goal of archiving all passwords in an encrypted vault that users can access securely, so they don't need to worry about forgetting all their passwords for every account. When a password manager is installed, the user only needs to remember one strong password to access their vault, thus streamlining their online security as well as reducing the risk associated with reusing passwords. 

The password manager is also capable of creating secure, long passwords for the user on their behalf, thereby further enhancing their level of security. It is of course vital to have robust passwords, but they are merely one of the layers of security that must be considered. There are several reasons why two-factor authentication (2FA) may be a viable authentication method. One of these is the fact that it requires a second verification method, such as a code sent to the mobile phone of the user or an authentication app, before giving the user access to their account. 

As long as a hacker has managed to get their hands on the passwords of a user, the 2FA feature is guaranteed to prevent them from gaining access to the user's account even if they manage to obtain the user's passwords. Even though some passwords are compromised, hackers will find it much more difficult to breach users' accounts as a result of this. People tend to make the mistake of selecting easy-to-guess personal information when choosing passwords during the creation process, which is one of the biggest errors they make. 

The information that they disclose could be anything from their name, birth date, or even the name of their favourite sports club they support. Many individuals make the error of using easily accessible personal information in their passwords, such as names, birthdates, or favourite sports teams. This information is often available through social media platforms or public records, making it a convenient target for cybercriminals attempting to gain access to accounts. To minimize this risk, it is highly recommended that personal details be avoided in password creation. 

Instead, users should create complex and unpredictable passwords that are significantly harder for attackers to guess, thereby providing a higher level of security. Another critical mistake is storing passwords in plain text on personal devices. Some individuals may resort to saving passwords in unprotected documents for the sake of convenience, without considering the significant security risks involved. If the device is compromised, these plain text files can be easily accessed, leaving sensitive information vulnerable to unauthorized users. 

A safer alternative is to use password management software, which securely stores passwords while also encrypting them. This adds an essential layer of security and ensures that even if the device is breached, the stored passwords remain protected. It is also crucial for users to pay attention to security notifications issued by websites and online services. These alerts are often triggered by unusual or suspicious activity and serve as an early warning system for potential security breaches. Unfortunately, such warnings are frequently ignored or overlooked, which can leave accounts exposed to further exploitation.

By promptly addressing these notifications, individuals can take immediate action, such as changing passwords or enabling additional security measures, to mitigate the threat before it escalates. Lastly, neglecting to regularly update software and applications can lead to unnecessary security vulnerabilities. Software updates frequently contain critical security patches designed to address newly discovered threats.

By failing to install these updates promptly, individuals leave themselves susceptible to attacks that could have been prevented. Maintaining up-to-date software is an essential practice for ensuring the latest security features are in place, reducing the chances of a successful cyberattack.

Security Nightmare with Hackers Releasing 1,000 Crore Passwords in Major Breach

 


Cyber-security breaches are becoming more and more prevalent and this is causing a lot of concerns amongst the public. The report by Semafor claims that some 10 billion (1,000 crore) passwords have been leaked from a hacking forum online about a file that contains nearly 10 billion (1,000 crore) passwords. The incident that took place on July 4th is regarded as being among the largest cyber-security breaches that have been recorded in history. As a result of the massive leak, a credential stuffing attack could be performed with the help of this massive leak, highlighted the report. 

As a type of cyberattack, credential stuffing involves hackers stealing usernames and passwords from several related data breaches to gain access to other accounts owned by the same individual. A significant increase in cyberattacks and malicious attempts to steal data in the past five years has led to an increase in the probability of financial harm becoming a worldwide problem, not only for individual citizens but also for governments and financial institutions spread around the globe. 

Cybersecurity reports state that around 10 billion passwords belonging to various people have been made public on global forums, whether they represent social media accounts or email accounts owned by individuals. There is no doubt that this was one of the biggest data breaches ever in the history of mankind. 

The Semafor news website reports that a file containing around 10 billion (1,000 crores) passwords was leaked via online hacking forums, which was compiled by an anonymous hacker. Several old and new password breaches were compiled into the compilation, which was uploaded to the internet on July 4 and is one of the largest leaks that anyone has seen to date. According to the SEMAFO report, this massive leak has increased the risk that credential-stuffing attacks will become possible. 

As a result of the leak's nature, as it yields a single searchable file, hackers will have an easier time discovering user data thanks to the single searchable file. An attack called credential stuffing occurs when hackers use an infected password to access multiple accounts connected to the same user as soon as the password has been compromised. In the example below, it is possible to break into user A's bank account by using the email password that they use for their email. 

The cyber-news is reporting that credential stuffing attacks are compromising users across various platforms such as AT&T, Santander Bank, Ticketmaster, 23andMe, and several other companies. It was also noted in the report that related to a report by the International Monetary Fund (IMF) and a study published by Lancet Journal, the number of malicious cyberattacks has doubled globally since 2020, with the financial industry (20,000 cyberattacks since 2020) and health sectors being hit hardest. 

The size of the leak, however, has provided some relief for worried netizens - some analysts have suggested that, as a result of its sheer size, the file may not be able to be accessed. Even though more accounts have been leaked, the report notes that the likelihood of cyberattacks is not heightened just by more passwords being leaked - but of course, it highlights the "glaring holes" in the security systems in place.