Mar 15 2021

Password reuse defeats the purpose of passwords

Category: Password SecurityDISC @ 2:27 pm
Password reuse defeats the purpose of passwords

There are four forms of password reuse and they all are bad

The first and easiest to prevent is the use of the same password on the same account. For example, if my username is michael.schenck, my password is Football123, and the system prompts me to change my password but lets me use Football123 again – then I’m reusing an old password. This is a problem because old password databases may have been stolen and cracked, in which case the Football123 password could be compromised. In this scenario, the credentials (which a hacker now has access to) will still work today. Remember, the internet never forgets.

The most common form of password reuse is the use of the same password and email/account name for multiple sites and services (e.g., using Football123 as the password for your email, Netflix, bank, and personal Microsoft account). If one account is hacked, you must assume all are hacked. This can be especially messy since the average business employee must keep track of 191 passwords and changing all 191 would take several days.

A related form of password reuse blends the last two together – reusing the same password across accounts with different usernames. Most workplace IT configurations won’t let users reuse passwords. However, when an employee changes companies, their former employer’s password history controls no longer apply. This allows older passwords to be used at a new job. This, too, is a bad practice. As the databases of passwords on the dark web and open-source intelligence sources continue to grow, it becomes easier for a hacker to link a password to a person – regardless of the account username or the company they work for.

The last form of password reuse is the use of a common password. Every year numerous publications list the top 10, 20, 100 passwords used in the previous year. For example, in 2020 more than 2.5 million people used the password “123456.” Lists of popular passwords are used by hackers to script – or brute-force – logins to gain access. If you use any of these common passwords, it won’t be long until you get hacked.

More on: Password reuse defeats the purpose of passwords

Tags: Password reuse

Mar 13 2021

Developing a Strong Security Posture in the Era of Remote Work

Category: data security,Email Security,File Security,Information Security,Laptop Security,Linux Security,Mobile Security,Network security,Password Security,Physical SecurityDISC @ 10:08 pm
Developing a Strong Security Posture in the Era of Remote Work

Tags: Remote work

Mar 01 2021

Intern caused ‘solarwinds123’ password leak

Category: Password SecurityDISC @ 11:19 am
Intern caused ‘solarwinds123’ password leak, former SolarWinds CEO says

Initial investigation suggested that the password “solarwinds123” was publicly accessible via a misconfigured GitHub repository since June 17, 2018. The issue was addressed on November 22, 2019.

New details emerged about the security breach, in a hearing before the House Committees on Oversight and Reform and Homeland Security, CEO Sudhakar Ramakrishna confirmed that the password had been in use as early as 2017.

A preliminary investigation revealed that the threat actors behind the SolarWinds attack compromised the SolarWinds Orion supply chain as early as October 2019, but later Crowdstrikes’ researchers dated the initial compromise on September 4, 2019.

“I’ve got a stronger password than ‘solarwinds123’ to stop my kids from watching too much YouTube on their iPad,” Representative Katie Porter of California said. “You and your company were supposed to be preventing the Russians from reading Defense Department emails.”

“I believe that was a password that an intern used on one of his servers back in 2017 which was reported to our security team and it was immediately removed,” Ramakrishna said in response to Porter.

Intern caused ‘solarwinds123’ password

Tags: solarwinds123

Feb 13 2021

What’s your password?!

Category: Information Security,Password SecurityDISC @ 6:40 pm

Jan 23 2021

Hacker blunder leaves stolen passwords exposed via Google search

Category: Information Security,Password SecurityDISC @ 2:18 pm

Source: Hacker blunder leaves stolen passwords exposed via Google search

Hackers hitting thousands of organizations worldwide in a massive phishing campaign forgot to protect their loot and let Google the stolen passwords for public searches.

The phishing campaign has been running for more than half a year and uses dozens of domains that host the phishing pages. It received constant updates to make the fraudulent Microsoft Office 365 login requests look more realistic.

Creds in plain sight

Despite relying on simple techniques, the campaign has been successful in bypassing email protection filters and collected at least 1,000 login credentials for corporate Office 365 accounts.

Researchers at cybersecurity companies Check Point and Otorio analyzing this campaign discovered that the hackers exposed the stolen credentials to the public internet.

In a report published today, they explain that the attackers exfiltrated the information to domains they had registered specifically for the task. Their mistake was that they put the data in a publicly visible file that Google indexed.

As a result, Google could show results for queries of a stolen email address or password, as seen in the screenshot above:

Jan 20 2021

More Ways To Make Passwords

Category: Password SecurityDISC @ 11:06 pm
More Ways To Make Passwords

Jul 15 2020

Hacker leaks passwords for more than 500,000 servers, routers, and IoT devices

Category: Hacking,Password SecurityDISC @ 10:49 am

The list was shared by the operator of a DDoS booter service. the list was compiled by scanning the entire internet for devices that were exposing their Telnet? port (23). Telnet sends password as plain text. we are still using clear text protocols in 2020? The hacker then may try using factory default usernames and passwords, as well easy-to-guess password combinations.

Source: Hacker leaks passwords for more than 500,000 servers, routers, and IoT devices | ZDNet



How Do Passwords Get Stolen?
httpv://www.youtube.com/watch?v=S_i8EhJWQ48







Download a Security Risk Assessment Steps paper!

Subscribe to DISC InfoSec blog by Email

Take an awareness quiz to test your basic cybersecurity knowledge

DISC InfoSec 🔒 securing the business 🔒 via latest InfoSec titles




Jun 05 2020

Apple releases new open source ‘Password Manager Resources’ project for developers – 9to5Mac

Category: Password SecurityDISC @ 12:35 pm

Apple has announced today that it is launching an open source project designed for developers of password managers. The goal is to make it easier for developers to “create strong passwords that are compatible with popular websites. Apple’s iCloud Keychain platform is already able to generate strong passwords at the time of account creation or […]

Source: Apple releases new open source ‘Password Manager Resources’ project for developers – 9to5Mac



Password Security Best Practices
httpv://www.youtube.com/watch?v=t8SQo3R7qeU



Protect your data by the military grade AES XTS 256-bit hardware encryption




Download a Security Risk Assessment steps paper!

Subscribe to DISC InfoSec blog by Email




Sep 09 2019

What’s your Password?!

Category: Password Security,Security AwarenessDISC @ 12:36 am

Very funny 😂 security password reminder, not funny that this is real!
httpv://www.youtube.com/watch?v=_u8Rss3W4Wg

Most Hilarious 😹 WiFi Names
httpv://www.youtube.com/watch?v=YDkt0FMcGLs

Obama 😎 finds ways to make cybersecurity funny 😎
httpv://www.youtube.com/watch?v=NpNk-tEkW_Q




Subscribe to DISC InfoSec blog by Email




Apr 05 2019

Password Security

Category: Authentication,Password SecurityDISC @ 8:59 pm

Password Security Infographic by NCSC


Enter your email address:

Delivered by FeedBurner




« Previous Page