WEBINAR | A Deep-Dive into 2023 Cyber Threats
Reduce Alert Noise and False Positives
Boost your team's productivity by cutting down alert noise and false positives.
Automate Security Operations
Boost efficiency, reduce burnout, and better manage risk through automation.
Dark Web Monitoring
Online protection tuned to the need of your business.
Maximize Existing Security Investments
Improve efficiencies from existing investments in security tools.
Beyond MDR
Move your security operations beyond the limitations of MDR.
Secure with Microsoft 365 E5
Boost the power of Microsoft 365 E5 security.
Secure Multi-Cloud Environments
Improve cloud security and overcome complexity across multi-cloud environments.
Secure Mergers and Acquisitions
Control cyber risk for business acquisitions and dispersed business units.
Operational Technology
Solve security operations challenges affecting critical operational technology (OT) infrastructure.
Force-Multiply Your Security Operations
Whether you’re just starting your security journey, need to up your game, or you’re not happy with an existing service, we can help you to achieve your security goals.
Detection Investigation Response
Modernize Detection, Investigation, Response with a Security Operations Platform.
Threat Hunting
Locate and eliminate lurking threats with ReliaQuest GreyMatter
Threat Intelligence
Find cyber threats that have evaded your defenses.
Model Index
Security metrics to manage and improve security operations.
Breach and Attack Simulation
GreyMatter Verify is ReliaQuest’s automated breach and attack simulation capability.
Digital Risk Protection
Continuous monitoring of open, deep, and dark web sources to identify threats.
Phishing Analyzer
GreyMatter Phishing Analyzer removes the abuse mailbox management by automating the DIR process for you.
Integration Partners
The GreyMatter cloud-native Open XDR platform integrates with a fast-growing number of market-leading technologies.
Unify and Optimize Your Security Operations
ReliaQuest GreyMatter is a security operations platform built on an open XDR architecture and designed to help security teams increase visibility, reduce complexity, and manage risk across their security tools, including on-premises, clouds, networks, and endpoints.
Blog
Company Blog
Case Studies
Brands of the world trust ReliaQuest to achieve their security goals.
Data Sheets
Learn how to achieve your security outcomes faster with ReliaQuest GreyMatter.
eBooks
The latest security trends and perspectives to help inform your security operations.
Industry Guides and Reports
The latest security research and industry reports.
Podcasts
Catch up on the latest cybersecurity podcasts, and mindset moments from our very own mental performance coaches.
Solution Briefs
A deep dive on how ReliaQuest GreyMatter addresses security challenges.
White Papers
The latest white papers focused on security operations strategy, technology & insight.
Videos
Current and future SOC trends presented by our security experts.
Events & Webinars
Explore all upcoming company events, in-person and on-demand webinars
ReliaQuest ResourceCenter
From prevention techniques to emerging security trends, our comprehensive library can arm you with the tools you need to improve your security posture.
Threat Research
Get the latest threat analysis from the ReliaQuest Threat Research Team. ReliaQuest ShadowTalk Weekly podcast featuring discussions on the latest cybersecurity news and threat research.
Shadow Talk
ReliaQuest's ShadowTalk is a weekly podcast featuring discussions on the latest cybersecurity news and threat research. ShadowTalk's hosts come from threat intelligence, threat hunting, security research, and leadership backgrounds providing practical perspectives on the week's top cybersecurity stories.
April 18, 2024
About ReliaQuest
We bring our best attitude, energy and effort to everything we do, every day, to make security possible.
Leadership
Security is a team sport.
No Show Dogs Podcast
Mental Performance Coaches Derin McMains and Dr. Nicole Detling interview world-class performers across multiple industries.
Make It Possible
Make It Possible reflects our focus on bringing cybersecurity awareness to our communities and enabling the next generation of cybersecurity professionals.
Careers
Join our world-class team.
Press and Media Coverage
ReliaQuest newsroom covering the latest press release and media coverage.
Become a Channel Partner
When you partner with ReliaQuest, you help deliver world-class cybersecurity solutions.
Contact Us
How can we help you?
A Mindset Like No Other in the Industry
Many companies tout their cultures; at ReliaQuest, we share a mindset. We focus on four values every day to make security possible: being accountable, helpful, adaptable, and focused. These values drive development of our platform, relationships with our customers and partners, and further the ReliaQuest promise of security confidence across our customers and our own teams.
More results...
Note: This blog is an overview of password history and best practices for individuals in honor of World Password Day, if you’d like to get started with implementing better security practices at your organization get our Exposed Credentials Solutions Guide here.
Hooray! It’s World Password Day, meaning we have another chance to get passwords right and stop being terrible with them. For most people, passwords probably come to mind only during cybersecurity awareness month or when your employer forces you to make a new one; otherwise, chances are people aren’t thinking about them every day. In honor of today’s fresh start, we’ll walk you through some things to consider when creating security-aware passwords.
81% of breaches result from bad passwords (2020 Verizon DBIR)
The reality is that password security wouldn’t be such a hot topic for security teams everywhere if passwords weren’t such a weak point in corporate infrastructure and everyone’s daily lives. Imagine, just one layer of security protecting everything important? That’s a big part of today’s reality. As we saw in our previous research on initial access brokers, passwords are very much a hot commodity on cybercriminal forums and dark web marketplaces, and there’s a market for every kind. Whether it’s for social media, email, or site administrator access, someone has the goods and there are plenty of paying customers.
There are lots of figures floating around on the internet, and they’re all pretty bad. A landmark 2019 Google study indicated 66% of Americans reuse passwords across multiple sites. Less than 50% change their passwords after a breach, even if personal information was compromised, and nearly 25% of Americans have used weak passwords commonly, such as “password123”, “qwerty”, or “123456”. The other danger here is that Verizon’s landmark annual research in 2020 noted that 81% of breaches result from bad passwords, and this is probably due in some part to people reusing passwords an average of 14 times or through similar bad practices.
This year, CyberNews published a study on leaked passwords that shows interesting trends in how people create passwords. Using a set of 15 BILLION (emphasis ours) leaked passwords, they identified roughly 2 billion unique passwords (meaning 13 BILLION passwords weren’t unique, emphasis again ours). The top passwords confirmed other findings, such as the common qwerty/password ones mentioned already; however, they also found common themes in the use of people’s names, sports teams, and cities. To do this article justice, and especially if you love big data, I recommend giving all the findings a look.
One last interesting point is that Google’s study also found pet names frequently made the list; which, once you factor in criminals selling various bits of personal information that can be correlated to anything publicly available on social media and the internet, knowing your cat’s name may add another way to guess your password. The key is being careful and unpredictable when choosing your password and avoid common pratfalls.
TLDR; Short, simple passwords such as “password123”, “qwerty”, or “123456”can be broken in less than a second
The days of seven to ten character passwords are long over, mostly because they can be broken in less than a second. Also, today more sites support complex password use. Experts recommend making passwords complex through length and type of characters used, as well as to make them unique. Each additional character adds another step for a password tool and special characters increase complexity, increasing time and resources needed for an attack and making passwords a harder target.
With layered defenses in place, the longer an attacker spends on brute-forcing provides the greater chance the attack is blocked. Also, some companies are telling users when fraud is detected, usually if an account is accessed from somewhere new or from failed logins. This may be a sign that it’s time to change how you log in.
Multifactor authentication and password managers may save you.
Let’s talk about the part that’s easily shared amongst your circle. We’ve assembled some best practices here for easy consumption:
1. Don’t reuse passwords. Your Gmail password shouldn’t be the same one for shopping, social media, or checking scores for your fantasy football team. This increases the chance that if one of these sites is breached and your password leaks, that means all of these accounts are potentially compromised. Some companies may warn you that your password was exposed, and ask you to change it, but not everyone does this. Password managers can help you here.
2. Use all the types of characters you can. This includes upper and lowercase letters, symbols, spaces, and numbers, depending on the site itself. The higher the maximum number of characters (12 or more seems to be a good spot currently), the better— though sites may restrict you on length.
3. Try not to use actual words, if possible. US-CERT recommends no dictionary words of any language; however, if you speak Aramaic or another rare or ancient language there’s a slight chance you are safe. Beware some password cracking programs out
there try combinations with special characters and alphanumerics, so a program attempting “admin”, may also guess “adm1n”, “adm!n”, and so on.
4. No default or easy-to-guess passwords. We wouldn’t be saying this if it still wasn’t a problem. For example, someone sets up a WordPress site, puts it into production, and forgets to change the password from “password”. To be helpful to consumers some hardware and software manufacturers publish default usernames and passwords online. Bad guys are still using these defaults and top 20 bad passwords because they work, and it’s easy for them to maintain a collection of greatest hits while adding new breached passwords every day.
5. Use a password manager. There are so many options, including ones within popular browsers such as Chrome or Firefox. There are also cloud and desktop applications. If you opt for the free versions, ensure that it works on multiple devices, including mobile and desktop, or if you are limited at the free tier by type or number of devices. Password managers can ensure unique logins for every site you visit.
6. Use multifactor authentication (MFA). The goal of MFA is to reduce the chance of an attacker using a breached password to gain access. Definitely consider it to protect important email accounts or social media or anything containing your sensitive information. Best case, use it for everything you can. MFA can at least slow attackers down or even stop them completely if they can’t access or guess your token. What’s cool? This option is literally in everyone’s hands because there are authentication apps for your phone. Some apps also offer telephonic, biometric, or SMS authentication. Security experts will argue about the danger of your phone or other computing device being SIMjacked, or otherwise physically compromised, but any of these are still a much better option than nothing at all.
So, why bother? For starters, a good password is the easiest and cheapest way to keep control of your data. Some of the most preventable issues security teams face stem from all of us being our own worst enemies when it comes to password security, whether it’s a question of using good practices or even caring about them. Several newsworthy breaches stemmed from a bad password or a link in a chain of bad password practices. It’s hard to believe that one single factor secures so much, coupled with the fact that we’re not always great with it, but here we are.
Also, everyone has been there, even security experts. We have all used passwords we cringe about now. Personally, I’ve received notifications about a couple of dumb passwords I chose years ago from the early days of the internet. Never even considered I’d get breached because I didn’t think I was important enough, but this was before cybersecurity allowed me to peek behind the curtain. I’ve changed them since, of course, but we’ve all felt the pain.
The best piece of advice I’ve heard regarding passwords and personal data is to assume you’re already breached and to focus on what you can do now to mitigate the damage. The question should be how much gets breached versus all of it being compromised. The easiest ways to do that are to not reuse passwords and to make them unique and difficult to guess. Password managers and MFA are great steps to manage that. Looking to keep an eye on your attack surface such as exposed credentials across the open, deep, and dark web? Get a clear view of your exposure with a 7-day free trial of SearchLight (now ReliaQuest’s GreyMatter Digital Risk Protection) .
Hopefully, someday we will move away from passwords to something better that puts information brokers out of business; but until then, we have to be better when it comes to passwords.