State of New Jersey SealOFFICIAL SITE OF THE STATE OF NEW JERSEY

The Struggle with Passwords

Garden State Cyber Threat Highlight

Original Release Date: 8/10/2023

Summary

A third-party cyber threat intelligence platform utilized by the NJCCIC provides notification when passwords related to select email domains have been exposed or discovered for sale on the internet or dark web. Analyzing the results of these notifications highlights the adherence – or lack thereof – to cybersecurity best practices. The passwords included in these notifications were exposed within the last year, often via a data breach or posting of a file that included the password; therefore, the passwords may be older than one year. Nevertheless, many passwords lacked complexity and were under 12 characters, the recommendation of the National Institute of Standards and Technology (NIST). In addition, several passwords were duplicates, indicating that many users have the same password. While this is expected with very weak passwords, such as abc123 (which was associated with 11 notifications within the last year), there were also duplicates that appeared to be default passwords, such as Welcome1, for new user accounts or products that are vendor specific. Using easy-to-guess credentials or product-specific defaults allows threat actors to access accounts and networks far more easily, providing them with an avenue to launch subsequent malicious activity.

Password management has become more complicated in recent years as users have over 100 online accounts, on average. Establishing strong and unique passwords for each account – and remembering them – has become unrealistic. Without strong and secure passwords, users must enable other protections to keep their accounts safe and prevent unauthorized access. Multi-factor authentication (MFA) adds an effective layer of protection for online accounts. MFA is the combination of at least two of the following: something you know (such as a password), something you have (such as an authenticator app code), or something you are (such as a biometric identifier). While any form of MFA is beneficial, authentication app codes, hardware token codes, or biometric verification are more secure than SMS text message-based codes and should be chosen where available. If a threat actor obtains a password for an account with MFA enabled, they will likely be unable to access that account as they will not have the second factor needed for authentication. The NJCCIC continues to receive reports of account compromises, and in nearly all of those reported, MFA was not enabled.

Recommendations

The NJCCIC recommends enabling MFA for all online accounts and establishing strong and unique passwords for any account without an MFA option available. More information on the importance of enabling MFA can be found in the Multi-Factor Authentication: A Critical Step for Account Security and Cyber Threat Thursday: Multi-Factor Authentication and Its Potential Weaknesses NJCCIC reports.

Join & Subscribe

Never miss an update! Sign up for a no cost membership today! Receive up-to-date content and more in our weekly bulletin.

Sign Up

Featured Content

New Jersey Cybersecurity & Communications Integration Cell

2 Schwarzkopf Dr, Ewing Township, NJ 08628

njccic@cyber.nj.gov

OUR COMMITMENT

The NJCCIC is a component organization within the New Jersey Office of Homeland Security and Preparedness. We are the State's one-stop-shop for cyber threat analysis, incident reporting, and information sharing and are committed to making New Jersey more resilient to cyber threats by spreading awareness and promoting the adoption of best practices.

Agency Seals of State of NJ, NJOHSP and NJCCIC

STAY CONNECTED:

View our Privacy Policy here.

View our Site Index here.