Craig McDonald 05 April 2019 16:26:34 AEDT 11 MIN READ

Don’t want your passwords getting stolen? Avoid these 3 mistakes

If you’ve been checking the news anytime in the past month you would have heard about the massive Citrix data breach, when hackers reportedly accessed 6 to 10 Terabytes (TB) of confidential internal information in early March.  

Yep, 6 - 10 TB. Just let that sink in. That’s 10,240 GB or roughly the amount of data produced by the Hubble space telescope each year.  

While any data breach of this size is a noteworthy news item, the Citrix data breach is particularly concerning because the software company provides cloud services to the U.S. military and is one of the Department of Defense’s approved vendors. Imagine the amount of powerful and confidential data that’s possibly been accessed in this hack. Almost makes me shudder to think of what could happen if this data is used in the wrong way. 

Which begs the question - such confidential data would surely have been protected with equally powerful security measures in place, so how did the cybercriminals bypass these measures?   

Reports say hackers likely used a tactic known as password spraying, a technique that exploits weak passwords. Basically, the threat actor tries a single commonly used password against many accounts. If unsuccessful, additional common passwords will be tried until the accounts are accessed.  

With all the talk around boosting cybersecurity by avoiding poor password habits, you wouldn’t have thought weak passwords would be a problem in 2019. And yet here we are… 

So, because our password protection game apparently still isn’t strong enough, I thought I’d go into a little more detail on some of the most common ways that passwords get compromised, and how to avoid those rookie mistakes.  

Have a read, then send it along to your team to get them up to speed - and help to ensure better security across everyone’s accounts.  

Mistake 1: Using generic passwords 

 Ah, the number one rule all password security gurus tell us to follow: Don’t use generic, easy passwords. How many of us actually follow that rule though? 

According to data gathered on password breaches, the top 10 most common passwords are: 

  1. 123456 
  1. 23456789 
  1. qwerty 
  1. password 
  1. 111111 
  1. 12345678 
  1. abc123 
  1. password1 
  1. 1234567 
  1. 12345 

(Source: ABC News

The top 100 passwords included familiar and oft-cited phrases such as charlie, 123456789a, football, iloveyou1, and computer. 

With users still using such generic passwords, are you really surprised that hackers gain access to your systems by simply plugging in common passwords and hoping that one of them sticks? Well, let me take you through some current evidence I came across.... 

In the 2018 paper, “Will Any Password Do?” Exploring Rate-Limiting on the Web, researchers chose 12 sites on the web; Amazon, Dropbox, Facebook, Google, Grammarly, IKEA, Netflix, Plex, Trainline, Twitter, Uber, and Yahoo, and set up accounts using passwords from the top 25 most common passwords that were accepted by these service providers (i.e. conformed to their password rules).  

The experimenters then tried to log in to their new accounts with the wrong password - up to a 25-attempt limit. According to the paper, NIST recommends an upper limit of 100 “guesses” for websites. 

The results? 

“Two services locked down our accounts, IKEA after 7 attempts, and Grammarly after 13 attempts. For the 10 remaining services, we were able to conduct the full set of 25 guesses, which took between 3 and 19 minutes due to diverging realizations of the throttling employed by the site operators.” 

So hey, here we not only have common passwords being acceptable by large businesses but being able to keep guessing passwords in most times at least 25 times. Ouch. 

How to fix it 

 Feed your password protection system at least the top 100 most common passwords to ensure your users can’t use them. Don’t be worried about not being able to come up with or remember complicated passwords - you can always use password generators that can manage and store your passwords in vaults, such as LastPass. 

Set a small number of login attempts (e.g. 5) before locking users out of their account, requiring access to a backup system. 

And, always use 2-factor authentication, or even multi-factor authentication. It is also a good idea to change your passwords on a regular basis. Don't use the same password for multiple accounts. 

Mistake 2: Falling for phishing email scams 

 Another common way hackers can access your passwords is via phishing emails. Most of us today know what a phishing email is, but for the sake of the minority who don’t: phishing is the practice of tricking email recipients into revealing personal information that criminals can exploit for gain. A phishing attack message will typically include a link that will send the unwary victim to a fake login website. Once there, the user will be asked to enter their username and password which will be captured by the phishing page for later use or sale by the criminals. 

Scammers use phishing pages to collect login credentials for email accounts, bank accounts, and a wide range of other online services. 

Phishing emails manifest in your inbox in a couple of ways. 

The first type of phishing email employs a technique that I call ‘brandjacking’. Basically, the malicious email masquerades as a legitimate email from a trusted, well-known, established organisation by mimicking the company’s branding and logo within its body.  

By convincing the recipient that the email is from such a renowned company, cybercriminals utilise the power of brand marketing. Companies spend billions of dollars creating an image of trustworthiness and reliability for their trademarks and cybercriminals exploit that image and trusted relationship to trick their victims. 

MailGuard is constantly intercepting new brandjacking emails that rip-off the trademarks of all kinds of companies: freight and courier firms; banks; retailers; utility companies; media organisations; and even government agencies.  

A recent ‘brandjacking’ scam that we encountered was an email spoof supposedly from ANZ Bank. Clicking a link in the email leads to a fake login page, where users enter their real credentials - which are then stolen and used to access customers’ real accounts. 

Today, cybercriminals are taking such phishing emails to another level. In fact, we intercept phishing emails with increasing levels of complexity every day. These range from emails brandjacking multiple brands, to those that ironically contain safety disclaimers warning recipients about the dangers of an illegitimate email in a bid to boost their own legitimacy.  

The second type of phishing emails takes a more personalised approach, where hackers can either strike up a rapport pretending to be a contact of a contact, a friend of a friend or even someone you usually email. They may ask you for confidential details, which can include passwords (or even things that passwords could be a combination of - e.g. your partner’s name or your pet’s name if they already know your birth year…). No, Jasper82 is not a clever password.  

How to fix it 

This is a timely reminder to ensure that appropriate training and education is in place so that all of your employees know how to respond to such phishing emails when they receive one in their inbox.  

Here are some ways to spot a malicious email:  

  • Generic greetings, such as ‘Dear customer’ 
  • A sense of urgency: “Ensure your invoice is paid by the due date to avoid unnecessary fees” 
  • Bad grammar or misuse of punctuation and poor-quality or distorted graphics  
  • An instruction to click a link to perform an action (hover over them to see where you’re really being directed) 
  • Obscure sending addresses 

You can access a wider range of hints and tips here

Personalised phishing attempts are a little more difficult to spot - but it pays to be wary of strangers (by all means, stalk them on socials and see if their story adds up!) and check the email address is of your real contact. The same goes for any links to phishing pages. Hover your mouse cursor over links to check that they’re to the authentic company website, and where possible go the companies page and login yourself, like in the example earlier, by visiting to login rather than through a link in an email.  

Experts also agree that when it comes to email security, a multi-layered approach is required. It’s sometimes referred to as a ‘defence in depth’ approach, designed to defend a system against attacks using several different methods, in the event that if one fails, the others will stop the threat. You can find out more about building a multi-layered defence strategy here. 

MailGuard stops phishing attacks in their tracks - and because it also stacks seamlessly with Office 365, it’s a great option for any business wanting to implement multi-layered security to protect their business emails. I’m proud to say that we are on average between 2 hours and 48 hours ahead of the competition in identifying and rectifying scam email attempts.  

Mistake 3: Subbing in passwords you’ve used elsewhere (or a similar password) 

Still wondering why we’re not supposed to reuse passwords? 

That’s because if a password database is hacked, and linked to a username or email address, then another hacker can come along and look for accounts in different places under that username or email. They then have access to the other account if a password is reused. 

If passwords are even similar to previously used passwords, hackers may then be able to guess a new password from the leaked one. 

How to fix it

There’s not much you can do except to educate your team about this, why it’s important not to reuse passwords or usernames. 

You can enforce password rules that disallow password reuse or even similar password reuse (this can be trickier to set up). 

You can also take advantage of reputable services such as HaveIBeenPwned to see if confidential data have been compromised in any data breaches. Data that they may find has been leaked can include things like usernames, passwords, addresses, etc.  
What strategies are you adopting in your company to ensure that your passwords are protected at all times? I’d love to hear your views. Feel free to contact me via the details below or join the conversation on our Twitter page. 

Get the facts

Companies are spending more on cybersecurity now than ever before, but those funds aren't always targeting the most significant dangers. There seems to be a bit of a disconnect amongst many CEOs about the sources of cyber-threat.

Studies consistently show that more than 90% of cyber-attacks are perpetrated via email, yet email security is rarely the biggest item in cybersecurity budgets.  If we’re going to win the battle against cybercrime we have to get real about the nature of the threat.

I’m on a mission to help business people understand cybercrime and protect their businesses from costly attacks. If you would like to learn more about the complex cybersecurity challenges facing business today, please download my e-book Surviving the Rise of Cybercrime. It’s a plain English, non-technical guide, explaining the most common threats and providing essential advice on managing risk.


You can download my e-book for free, here.

“Cybercrime is a serious and growing business risk. Building an effective cybersecurity culture within an organisation requires directors and executives to lead by example. Surviving the Rise of Cybercrime is a must-read for directors and executives across business and in government and provides strong foundations for leaders determined to address cyber risk.” - Rob Sloan, Cybersecurity Research Director, Wall Street Journal. 

... ... ...

Hi, I’m Craig McDonald; MailGuard CEO and cybersecurity author.
Follow me on social media to keep up with the latest developments in cybersecurity; I'm active on LinkedIn and Twitter. 
I’d really value your input and comments so please join the conversation.