The internet security slang pwned-- pronounced ‘poned’-- is mainly used to indicate administrative control over someone’s computer account or computer. A password that has been pwned is one that has been compromised in some kind of breach, and it means that it’s no longer safe to use.
Pwned passwords are what hackers use to compromise accounts--whether breaking into your bank account, or stealing your Netflix. Issues like password reuse and weak passwords are well known to hackers, who exploit human error to commit cyber crimes.
Students, parents, employees, and network administrators alike are all guilty of engaging with bad security habits. It’s important to learn about these patterns so that we can tackle them together and help protect ourselves and each other.
Three of the most common bad habits are:
Even as alternative authentication methods become more available,
the password remains the most common authentication method at both the corporate and consumer levels. We enter passwords all day every day: clocking in to work, signing on to a Zoom call, or relaxing with a movie after work. Passwords are ubiquitous and likely to stick around.
Of course, it’s difficult to remember unique passwords for all of your accounts and all of your devices. To make things easier on ourselves,
people choose weak passwords, like ‘password’ or common dictionary words like ‘football’ or ‘summer’ followed by easily-guessed number combinations like ‘2020’. These passwords are extremely
easy for hackers to guess.
People also think that a slight change, of a few digits or characters, will throw off a hacker’s ability to guess the password, so they might change the letter ‘O’ to the digit ‘0’, or add an exclamation mark to the end of the password. Even if these tiny variations satisfy the ‘new password’ requirements, they also tend to follow simple patterns and are just as easy to guess.
The Verizon DBIR report revealed that 80% of hacking breaches were related to compromised passwords. This isn’t surprising: people are repeatedly choosing weak passwords, the passwords are guessed, and breaches occur.
2. Password Sharing
In a small recent study, 34% of respondents said they share passwords with coworkers. This is potentially indicative of a broader trend that folks--couples, families, etc.--share passwords.
For coworkers, sharing passwords is most often done for convenience of collaboration. But there are many safer ways to do this that employees could be encouraged to use instead. Password sharing causes employers and employees to lose track of who has access to what document, network, and system. It also means people may retain access to sensitive information after leaving a job.
3. Password Reuse
Another enduring bad habit is password reuse. It’s a natural experience to find it difficult to remember many unique passwords, but the unfortunate work-around that many people choose is a source of major security issues. This is the error of using the same password (or a near-exact variation) for multiple accounts, across multiple systems. It’s also common for people to use their favored password in both personal and corporate systems.
We’re also not as clever as we think, and it’s likely that multiple individuals in a group will come up with the same password. So even if you haven’t personally used a password like ‘administrator123’ at work before, someone else might have done so. That person’s account can be breached and cracked, and then all related accounts are further endangered because passwords are generally ‘reused’ between many users.
This wide-scale reusing can lead to major breaches because of the chain reaction. For example, let’s say you use the password ‘S0ccer2020’ for your personal LinkedIn account, your shared family Disney Plus account, and your employee login. Then, let’s say that there is a breach at LinkedIn, and you find out that your credentials have been compromised. No problem, because you can just change your LinkedIn password, right?
As you may have surmised: wrong. If you’ve reused your password, it becomes clear that every other account is in danger as well; in fact, it only takes a single compromised password to lead to, in this example, what could be an entire corporate takeover. Hackers exploit the common issue of password reuse all the time by using both credential stuffing and password spraying. This means that your credentials, once stolen, will be ‘stuffed’ into as many other websites as hackers can process.
Good Changes to Make
Based on the bad habits above, it’s obvious that we should all be choosing longer, randomized passwords. But there are also tools that can help users without causing too much personal friction.
Some possible solutions are:
1. Use Multi-factor Authentication (MFA)
Just as it would be ineffective to lock your door but leave your windows wide open, it’s becoming a poor decision to only use a single layer of cybersecurity. Multiple levels of security are better than one--which is why homeowners install cameras as well as deadbolts--and the same holds for password use. If enterprises are only going to use a single layer of security, passwords are the ubiquitous option, but a distinct and secure next layer would be hugely useful to many companies, considering how common credential breaches are.
Using multi-factor authentication intelligently is key; more layers means bad actors are less likely to be able to steal information. On its own, any security system is fallible, weak or reused passwords perhaps most of all. Adding MFA is one way to add security to passwords.
2. Educate employees and coworkers on an ongoing basis
Employers can’t count on employees staying current on ever-evolving security practices on their own. For one, there’s often conflicting information. Additionally, there will be enterprise-specific protocols to take on board. But if employers can regularly provide training about security practices, it will benefit their employees at every level.
Employers should not only explain what to do or what to avoid, but also explain why. This will promote better security habits long-term as employees will respond more intelligently to unfamiliar threats, instead of blindly following rules.
Account security doesn’t exist in a vacuum. It helps to train staff about common issues like phishing scams that happen in day to day personal life as well as at work. Employers can avoid making a training about compliance standards and instead educate employees about overall credential security. If employees make safer choices when it comes
to their personal accounts, those credentials are less likely to be stolen and then used to break into an enterprise’s network.
3. Use a password blacklist service
One of the best ways to pump up the strength of employees’ passwords is to screen them against lists of commonly-used and compromised passwords, called a password blacklist. Specifically, it’s best to pick a blacklist-monitoring service that is expansive, and constantly updated. There are websites that publish and sell stolen credentials, and these, as well as credentials leaked on the dark web, must be continuously monitored to maintain an effective security posture as data breaches occur.
Through screening, users are restricted from selecting known-compromised passwords that introduce security risks. And if the service is a good one, organizations can monitor existing passwords for exposure - because a password that is safe today can be compromised overnight.
It’s especially helpful to employ a blacklist service if you use systems like Microsoft Active Directory which are widely used for corporate and scholastic enterprises, but can make an entire network vulnerable. AD is one of the most prevalent solutions for network device management, but it was never designed to plunge into the recesses of the dark web for compromised credentials. Instead it relies on a company-maintained list of banned passwords that is non-exhaustive and only updated occasionally (if at all).
If you want to check whether or not an individual password has already been pwned, you can use a service like Password Check. This free and secure service will check against billions of previously compromised passwords to see if yours has already been leaked. Another free option for that works across the organization is a Password Auditor to can scan all of Active Directory.
Checking user credentials against a blacklist is also part of the newest NIST security guidelines, making it an even more applicable step to take within a company’s security protocols.
The TL;DR