By Davey Winder Senior Contributor
Following FBI warnings of 2FA bypass, password alerts have now emerged.
NurPhoto via Getty Images
FBI warnings concerning the Scattered Spider collective, behind ransomware attacks on the retail, insurance, and most recently, aviation sectors, have now become an alarming reality. Qantas has confirmed a significant cyber incident, involving a third-party supplier, has potentially impacted the data of some six million customers. 2FA bypass is common currency for Scattered Spider and other threat actors, and the FBI report has confirmed this. But maybe now it鈥檚 time to also look at how poorly every sector, including consumers, manages passwords. TL;DR, dear reader, the answer is very poorly indeed. Here are the passwords that nobody should be using.
ForbesFBI Issues US Social Media And Messaging Warning 鈥 What To KnowBy Davey Winder
FBI And CISA Password Advice Is Being Ignored
Let鈥檚 get one thing straight here: password management is not a difficult thing. It would seem, however, that getting the basics of password creation and use is. That鈥檚 the only reason I can come up with as to why so many people, corporate, within industry sectors and consumers, are failing to do it properly. Well, there鈥檚 another reason, but I鈥檓 too polite to mention it here; I鈥檓 sure you can guess what it is. The point is that, as evidenced by an updated study by NordPass, weak and downright dangerous passwords are still being used long past their expiration date.
Although Scattered Spider focuses attention on bypassing 2FA protections using social engineering means to persuade IT help desks to 鈥渁dd unauthorized MFA devices to compromised accounts,鈥 it is not the only weapon in its arsenal. All ransomware groups will look to the weakest link, the easiest protection to break, when it comes to initial access. And that, as you likely will have guessed, means login credentials.
The NordPass study revealed what many in the cybersecurity field already knew: weak passwords, reused passwords, and passwords that are, frankly, totally unfit for consumption, are common across most all industry sectors.
MORE FOR YOU
Considering the Scattered Spider attacks on aviation, let鈥檚 focus on the transportation sector as an example. 鈥淭he transportation and logistics industry is a critical part of global infrastructure,鈥 Karolis Arbaciauskas, head of business product at NordPass, said, 鈥渂ut the cybersecurity basics are being ignored.鈥
Those basics can be found in this Cybersecurity and Infrastructure Security Agency advisory, compiled with the assistance of the FBI, covering the tactics, techniques and procedures used by the Scattered Spider threat group.
ForbesIs The Truth Behind The 16 Billion Passwords Leak Finally Revealed?By Davey Winder
You Should Never Use These Passwords. Period.
You only have to look at the most common list for this sector, included on the report page previously linked to, and you will see what Arbaciauskas is referring to. It is peppered with such password atrocities as 123456, Dell, 12345678, password, 111111, 1234, 123456789 and qwerty. I could go, but I won鈥檛: go and see for yourself. Or you might want to take a look at this list of dangerous passwords I have compiled from NordPass and other research.
鈥淲eak credentials put customer data, delivery routes, and operational continuity at risk,鈥 Arbaciauskas said, adding that 鈥淔ixing password practices is a fast, effective way to avoid delays caused by data breaches or operational downtime.鈥
The FBI has warned you, CISA has advised you, cybersecurity professionals have shown you the dangers, so when are you going to stop using those easily hacked passwords and start taking credential security seriously? Better yet, when are you going to change to passkeys, which are way more secure?
Editorial StandardsReprints & Permissions