VentureBeat Presents: AI Unleashed – An Exclusive Executive Program for Enterprise Data Leaders. Network and educate yourself from industry peers, find out moreThank you for reading this post, don't forget to subscribe!
“Select a combination of words, numbers, special characters, and cases.” “Avoid reusing passwords for multiple accounts.” “Choose a password you haven’t used previously.”
These types of messages are familiar to everyone, and enterprises continually reiterate them.
No one enjoys passwords (they can feel like a daily chore), and people can be negligent – this includes administrators.
In fact, according to recent research conducted by cybersecurity company Outpost24, system administrators commonly use easily guessable passwords such as “admin” and other similarly easy-to-guess options. Default passwords are also frequently used during initial setup and login.
An exclusive invitation-only evening of insights and networking, designed for senior enterprise executives overseeing data stacks and strategies.
find out more
“With our personal and professional lives becoming increasingly online, we must change how we approach passwords,” stated Darren James, senior product manager at Outpost24, in an interview with VentureBeat. “Using the same short password that is easy to guess across multiple systems may make it easier to remember, but it also significantly increases vulnerability to attacks.”
Top 20 Administrator Passwords According to Outpost24 Research
Outpost24’s ongoing monitoring and intelligence revealed approximately 1.8 million passwords. “admin” appeared over 40,000 times, followed by “12345,” “12345678,” “1234,” and “password.”
This corresponds with cyberattack research; for instance, the Verizon Data Breach Investigations Report discovered that one of the primary methods attackers gain access to organizations is through credential theft (alongside phishing and vulnerability exploitation).
In addition, nearly three-quarters (74%) of breaches are caused by human error, such as the use of stolen credentials, privilege abuse, and social engineering.
Attackers are increasingly utilizing password-stealing malware (stealers) that specialize in stealing passwords. Once installed (e.g. through clicking on a malicious attachment), these malware programs operate in the background and collect information, including logins for web browsers, FTP clients, mail clients, and wallet files.
Another way threat actors steal passwords is through brute-force attacks, trying various combinations of passwords or passphrases with the hope of eventually guessing the correct one, based on login intelligence obtained by Outpost24. This is often done in conjunction with credential stuffing, where a password obtained from one account is tried on other accounts.
Administrators are humans too
So, even though most of us are aware of the risks, why are we still negligent when it comes to passwords?
According to James, it’s not solely the fault of the users; organizations and services must establish appropriate policies and tools that support good password practices.
Many systems still rely on old, short passwords with seven to 12 characters, which were in use before the Internet became ubiquitous. Organizations often fail to provide users with guidance on how to change passwords, resulting in predictable patterns such as simply changing a number at the end (let’s admit, we are all guilty of this).
But shouldn’t administrators know better by now?
“It’s crucial to eliminate weak administrator passwords, but administrators are human too, and they take shortcuts like the rest of us,” James explained.
Practicing Good Security Hygiene
Default passwords should be automatically changed the first time they are used – this should be a company requirement, James suggested.
Organizations must also put the right policies in place and apply them to the appropriate individuals. Administrators should have two accounts: one for non-administrative tasks (e.g., managing email, conducting research) and another for their administrator role, each with separate passwords.
James added, “They should be required to use long, strong, and unbreakable passwords for these accounts – and unfortunately for administrators, I would still recommend changing them regularly.”
Whenever possible, administrator accounts should have multi-factor authentication (MFA) enabled. Moreover, if administrators struggle with managing multiple passwords – without resorting to writing them down or saving them in insecure documents or emails, which pose additional security risks – they should consider using a password manager. Required
These management systems should always have a strong passphrase, which is longer than a password and more difficult for hackers to guess. For example, James suggested using three random words, each with 15 letters, that hold personal significance.
Complexity is unnecessary, and constant scanning for violations can be done, James claimed, concluding, “You don’t even need to change it.”
Passwords Aren’t Disappearing, So Remain Vigilant
It’s not uncommon for many of us to have tens or even hundreds of passwords today, and James acknowledged that “creating unique passwords for every system we log into is just not something most of us can do.”
In addition to avoiding obvious mistakes like using default passwords, James recommended using anti-malware tools and regularly scanning login credentials to ensure they haven’t been compromised. Scanning can also detect if those logins are used across multiple accounts. Disabling browser password saving and auto-fill settings is another important practice.
James also stressed the importance of being cautious of domain typosquatting (when hackers register domains with intentionally misspelled versions of common websites) and verifying that you’re redirected to the correct sites after clicking on ads.
Passwordless and passkeys are emerging methods to enhance cybersecurity, but James noted that they are still far from being fully viable. Therefore, until an authentication utopia arrives (which may take a while), organizations need to do their best. Emphasis should be placed on implementing good practices and using appropriate tools for managing and securing passwords.
For those who have diligently created strong, long, and complex passwords and are concerned about Outpost24’s findings, James provided encouragement, saying, “Keep up the good work!”
Additionally, he advised spreading awareness among colleagues, stating, “Preach to your nearby coworkers.”
Ultimately, James affirmed that “passwords, whether we like them or not, will continue to be a critical part of the authentication process for the foreseeable future.” He emphasized the extreme importance of using them correctly, as one compromised credential could expose an entire infrastructure or personal life.
VentureBeat’s mission is to serve as a digital town square for technology decision makers seeking knowledge about transformative enterprise technology and transactions. Find our briefing.