Password fails that caused mayhem

Notoriously forgotten, often complex, but essential when it comes to online security. We’re of course talking about passwords – those strings of characters used to protect important and sometimes incredibly sensitive and confidential information.

Over the years, there have been some significant slip-ups with these secret phrases involving hackers and compromised passwords. To mark World Password Day, we’re taking a step back in time to revisit 2 of the biggest blunders and see what we have and haven’t learned from history…

Piercing the Pentagon

Self-confessed “bumbling computer nerd” Gary McKinnon set out on a mission in 2002 from his North London flat. He wanted to prove UFOs existed by infiltrating various US computers. When he stumbled upon a series of them right on the cusp of US military systems, he broke in relatively easily. Using a management tool typically deployed by IT staff, he then made his way into networks at the Pentagon and NASA.

In a world still reeling from the shock of 9/11, you’d expect security to be tighter than ever before. Interestingly, though, the major weak link in the US military network was its passwords. McKinnon would spend hours rooting out accounts where the user had failed to protect it – a common error where they kept the default phrase ‘password’ – before deploying the remote access software Remotely Anywhere and seeing what he could find.

McKinnon has always played down his intentions, explaining that it didn’t take a genius to do what he did as it was such basic hacking.

Solarwinds123

Fast-forward 17 years, in 2019 American software company SolarWinds found itself at the heart of a security failure which resulted in a joint hearing by the House Oversight and Homeland Security committees. The company’s password, ‘solarwinds123’, was publicly visible on GitHub from June 2018 before it was brought to their attention more than a year later in November 2019. Security researcher Vinoth Kumar initially stumbled across the password breach, explaining it had been set to give access to SolarWinds’ update server.

Speaking at the hearing, SolarWinds CEO Sudhakar Ramakrishna blamed the password leak on an intern who was at the company in 2017. He explained to US lawmakers that this had been identified by the SolarWinds security team and removed. But Kumar cast doubt on this, noting that an intern of three months is highly unlikely to have access to such important information and that best practice is for credentials to be rotated out within three months.

Shortly after, SolarWinds was the victim of a major supply chain attack. The company strongly denies this was linked to the weak password incident.

Protect your assets

Passwords. We all need them for some reason or another, meaning we’re all at risk of falling vulnerable to hackers or malicious internet users. So, let’s not make things any easier for them.

Our top tips?

1. Use a password manager

If you have lots of passwords you need to remember, use a password manager. This will reduce the likelihood of you reaching for the same password over and over again and means you have all your secure passwords in one place. All you have to do is remember the password to get into your password manager account.

2. Passwords must be random and strong to be secure

If you need to create a password that you’ll remember (for example, to get into your password manager), use at least four completely random words. Password managers typically have a very secure password generator built into them so for all other passwords, just use your password manager. Doing this will increase your password entropy (the measure of how unpredictable a password is) to a point that will make it pretty much impossible for attackers to guess.

3. Don’t use browser-based password storage

You know those messages you get at the top of your browser once you log into an account? The ones that ask you if you would like to save your password? These are vital attack points and really easy targets for hackers so don’t use them! The majority of password managers will work with your browser and offer a much better level of security. Passwords stored in browsers are much safer than they used to be, but if there is a major security flaw in your browser, then it is possible for attackers to get a hold of that data.

It might be World Password Day but cybersecurity should be the top of 'I need to keep on top of that' list all year round. Good news though! We have plenty of other articles to help you with that – 10 tips for staying safe online, how to secure your server, or specifically how to secure a VPS.