Thursday, May 4, 2023, is World Password Day. Established in 2013, the event is observed on the first Thursday of May with the goal of improving awareness of the importance of creating complex and unique passwords and adopting password best practices to keep sensitive information private and confidential.

Passwords were first used to protect accounts against unauthorized access in computing environments in the 1960s. In 1961, researchers at the Massachusetts Institute of Technology (MIT) started using the Compatible Time-Sharing System (CTSS). The system ran on an IBM 709 and users could access the system through a dumb terminal, with passwords used to prevent unauthorized access to users’ personal files.

The system is widely believed to be the first to use passwords and was also one of the first to experience a password breach. In the mid-1960s, MIT Ph.D. researcher Allan Scherr needed more than his allotted 4-hour CTSS time to run performance simulations he had designed for the computer system. He discovered a way to print out all passwords stored in the system and used the passwords to gain extra time.

Passwords are now the most common way to secure accounts and while passwordless authentication, such as biometric identifiers and single sign-on, are becoming more popular, in the short to medium term passwords are likely to remain the most widely used way of authenticating users and preventing unauthorized account access.

The Importance of Creating Strong Passwords

The use of passwords carries security risks, which World Password Day aims to address. One of the most common ways for hackers to gain access to accounts is to use stolen passwords. Phishing is used to target employees and trick them into disclosing their passwords, either via email, phone (vishing), or text message (SMiShing). Adopting 2-factor authentication will help to stop these attacks from succeeding. According to Microsoft, 2-factor authentication blocks more than 99% of automated attacks on accounts.

Hackers also use brute force tactics to guess weak passwords and take advantage of default credentials that have not been changed. If rate limiting is not implemented to lock accounts after a set number of failed login attempts, weak passwords can be guessed in a fraction of a second. Even strong passwords can be guessed in seconds or minutes if they are not sufficiently long.

In 2020, Hive Systems started publishing charts showing the time it takes for a hacker to brute force a password using a powerful, commercially available computer, and each year the table is updated to account for advances in computing technology. The chart clearly demonstrates the importance of creating strong passwords that include a combination of numbers, symbols, and upper- and lower-case letters, and ensuring passwords contain enough characters. We recommend a minimum password length of 14 characters.

How Long Does it Take a Hacker to Brute Force a Password in 2023. Source: Hive Systems.

Password Management Shortcuts Weaken Security

Creating and remembering long, complex passwords is difficult for most people, and it is made even harder due to the need to create passwords to protect multiple accounts – A study by NordPass suggests the average person has around 100 passwords. Many people struggle to create and remember more than one strong and unique password, so with so many accounts to secure it is unsurprising that people take shortcuts, but those password management shortcuts significantly weaken password security.

It is common for users to avoid creating unique passwords and they end up reusing the same password for multiple accounts. The problem with this is that if the password is compromised on one platform, either through brute force tactics, a phishing scam, or another method, all other accounts that use that password are at risk. Hackers take advantage of this common bad practice using a technique called credential stuffing. If they obtain a list of usernames and passwords from a data breach, they will attempt to access accounts on other unrelated platforms using those username and password combinations. This method only succeeds if there has been password reuse.

Changing passwords slightly by adding a number or substituting characters when creating new accounts isn’t much more secure, and will leave accounts susceptible to brute force attacks. If a hacker obtains a username and password combination, various permutations of that password will be attempted with that username. Writing down passwords is also a very bad idea.

Many businesses have implemented minimum complexity requirements for passwords, stipulating a minimum password length and composition requirements, yet it is common for employees to take shortcuts to make passwords easier to remember. It is possible to create a password that meets minimum complexity requirements yet is still incredibly weak. ‘Password’ is still one of the most commonly used passwords and it is usually the first one that is attempted when trying to hack an account. ‘P4ssw0rd!’ would meet the password complexity requirements imposed on many platforms, but it is still incredibly weak and offers next to no protection.

Global Password Management Survey Reveals Poor Password Management Practices

The 2023 Global Password Management Survey conducted by password management solution provider Bitwarden ahead of World Password Day confirms that extremely risky password practices are still incredibly common. The survey was conducted on more than 2,000 Internet users in the United States, United Kingdom, Australia, Germany, France, and Japan and asked questions about personal passwords, password habits at work, and the strategies that are adopted for managing passwords.

Despite the risks, 90% of respondents admitted to reusing passwords for multiple accounts, up from 85% in 2022. In 2023, 19% of respondents said they reuse passwords on 1-5 sites, 36% reuse passwords on 5-10 sites, 24% reuse passwords on 10-15 sites, and 11% use the same password to secure more than 15 sites. 22% of respondents said they have been reusing the same password for more than a decade!

While password manager use is increasing – 84% of respondents said they use a password manager at work – 54% of respondents said they store passwords in a document on their computer, and 29% write their passwords down. 54% of respondents said they rely on memory for managing passwords, up from 49% last year, which explains why 58% of respondents admitted to resetting their passwords regularly because they forget them. 12% of respondents said they reset passwords on a daily basis for this reason. Last year, 54% of respondents said their organization had experienced a cyberattack, with the percentage increasing to 60% this year, and 26% of respondents said they had been affected by a data breach in the past 18 months.

Account security can be greatly improved with 2-factor authentication, and while there are strong feelings that the additional authentication makes accessing accounts cumbersome, 2-factor authentication is now being widely adopted. 92% of respondents said they use 2-factor authentication in the workplace, up from 88% last year. When asked why 2-factor authentication is not used for business or personal use, 48% said it was not used due to unawareness of the benefits, 47% said because passwords were believed to be strong enough, and 41% said because they did not think that accounts would be hacked. The same percentage said 2-factor authentication was not used because it slows down workflow.

2-factor or multi-factor authentication is vital for protecting accounts. In the event of a phishing attack where an employee discloses their password, 2-FA/MFA can prevent that password from granting access to the account, thus preventing a costly data breach. However, while any form of 2-FA/MFA is better than single-factor authentication, phishing-resistant MFA provides the best protection. Threat actors are now using phishing kits that are capable of stealing session cookies and MFA codes, thus bypassing MFA. Phishing-resistant MFA removes the phishable human element and provides far greater protection. Further information on implementing phishing-resistant MFA has been published by CISA.

Password Security and Management Tips

World Password Day 2023 is the perfect time to assess password security and take steps to ensure that all accounts are properly secured with strong and unique passwords, and start following password best practices:

• Ensure a strong, unique password is set for all accounts
• Use a combination of upper- and lower-case letters, numbers, and symbols in passwords
• Use easy-to-remember passphrases rather than passwords, that have a minimum of 14 characters
• Never reuse passwords on multiple accounts
• Don’t use information in passwords that can be found in social media profiles (DOB, spouse or pet name, etc.) or is known to others
• Ensure 2-factor authentication is set up, especially for accounts containing sensitive data
• Use a secure password generator to generate random strings of characters
• Avoid using dictionary words and commonly used passwords
• Use a password manager for creating strong passwords and secure storage, and set a long and complex passphrase for your password vault.

The post World Password Day 2023 – Password Tips and Best Practices appeared first on HIPAA Journal.

An advanced persistent threat (APT) actor has been conducting an espionage campaign that has seen the systems of at least 9 organizations compromised. The campaign targeted organizations in a range of critical sectors, including healthcare, energy, defense, technology, and education.

The campaign was identified by security researchers at Palo Alto Networks and while the identity of the hacking group has yet to be confirmed, the researchers believe the attacks were most likely conducted by the Chinese state-sponsored hacking group APT27, aka Iron Tiger, Emissary Panda, TG-3390, and LuckyMouse based on the use of hacking tools and techniques that match previous APT27 activity.

The campaign exploited a critical vulnerability (CVE-2021-40539) in ManageEngine ADSelfService Plus, an enterprise password management and single sign-on solution developed by Zoho. Successful exploitation of the flaw allows remote attackers to execute arbitrary code and take full control of vulnerable systems.

On September 17, 2021, the U.S. Cybersecurity and Infrastructure Security Agency (CISA) issued a security advisory warning exploits for the flaw were in the public domain and being used by APT actors to install web shells on vulnerable servers to gain persistent access.

Palo Alto Networks said a second campaign was then identified that involved extensive scans for vulnerable servers using leased infrastructure in the United States. Vulnerable systems that had not been patched against the vulnerability started to be attacked from September 22, 2021, with those attacks continuing throughout October.

The attackers deployed a web shell called Godzilla, with a subset of victims also having a new backdoor called NGlite installed. The backdoor or web shell was then used to run commands and move laterally within victims’ environments, with sensitive data exfiltrated from victims’ systems. When the attackers located a domain controller, they installed a new credential-stealing tool dubbed KdcSponge, and harvested credentials and exfiltrated files such as the Active Directory database file (ntds.dit) and the SYSTEM hive from the registry.

Palo Alto Networks said its scans indicate there are currently around 11,000 servers running the Zoho software, although it is unclear how many of them have been patched against the CVE-2021-40539 vulnerability. The researchers said the APT group attempted to compromise at least 370 Zoho ManageEngine servers in the United States alone.

The post Chinese APT Group Compromised Healthcare Organizations by Exploiting Zoho Password Management Platform Flaw appeared first on HIPAA Journal.