One of the biggest network security concerns that no one is talking about is the sudden influx of hacked usernames and passwords that have found their way into the black market. A survey conducted by Ofcom claims that up to 55% of all internet users reuse the same passwords over and over for most of the websites that they visit. With this in mind, a single leaked password could represent the keys to the kingdom for the majority of internet users.
Leaked Passwords Make International Headlines
Notable companies such as Yahoo, LinkedIn and others have had tens of millions of user account details leaked online. In many instances, the passwords that were leaked online were published in clear text.
In other instances, only the password hashes were leaked. Password data dumps happen each and everyday. Just because a website has notoriety doesn't mean that your personal data isn't at risk.
In fact, larger websites are often the target of such hacking attempts. When these hacks are successful, the payoff is huge and millions of consumers can have their personal details accessed by unlawful third parties.
What's the Worst That Could Happen With a Leaked Password?
Take a trip down the rabbit hole and consider this scenario: Your CEO John Doe has much of his personal information publicly accessible through the internet. Details such as his middle name, where he went to school and even details about his children could be found with just a simple Google search.
Someone trolling though hacked social media accounts could discover your CEO's account. Putting two and two together, the attacker could realize that this password is the same password used for corporate network access.
Just like that, your corporate network could become compromised. Attackers could look for your domain's Outlook Web App login and instantly gain access to your CEO's corporate emails. This type of attack is incredibly trivial, however, many administrators stay oblivious to the most simple forms of attacks.
How to Check if your Password Has Been Leaked
Several resources exist to provide you with the ability to find out if your password has been hacked. One of the most popular websites is HaveIBeenPwned.com. Another website you could use is LeakedSource.com; there's a paid version of LeakedSource that you can use to find all the hacked details of users in your organization. You can send $2 in bitcoin to them and get untethered access to the database for 24 hours.
How to Prevent Password Leaks In Your Organization
Organizations must stay vigilant in regards to their password policies. Here is an 11 point plan that you can implement in your organization to prevent password leaks.
- Continuously pen-test your network
- Harden all of your external facing applications
- Enforce strict password guidelines for all users
- Require a capital letter, a number and a special character
- Minimum length should be 8 characters but more is preferred
- Require that all passwords must changed every 30 days
- Scan your Active Directory service for old unused accounts.
- Disallow the use of clear text passwords being saved or sent through email
- Continuously check websites that will publish details on leaked passwords
- If you must store passwords digitally, do so using proper encryption techniques
- Use two factor authentication for logins
At ColoCrossing, we recommend that you utilize the best practices of password management for all of your privileged applications. Did you know that ColoCrossing can help your manage your infrastructure while implementing the best practices in information security at the infrastructure level? Visit us here and connect with a managed services expert today.