MODULE 3 – Password & Credential Security



Over 70 percent of companies that were hacked and had their data published on the Internet were victimized because of weak passwords or stolen credentials. When hackers steal millions of passwords and other log-in credentials, that data usually is sold or posted on the dark web for sale. Other criminals buy them there and use them to get into companies’ computer networks.

Once into a network with stolen, but valid login credentials, whatever an employee can see, hackers can see. Hackers can:


– steal data immediately or
– keep watching data in a network over time to continuously steal sensitive corporate or customer data
– implant malware that can hide in your company’s network to be activated months after the initial intrusion.


Risks of Reusing Passwords
Reusing passwords puts work networks at risk
Hackers buy passwords from non-work sites also. They can match these personal email addresses or logon names with your work email address. They can then try the passwords that matched your personal account information to see if it works in your business account.
Why do we care about your password for your favorite frozen yogurt delivery website? Not because we want to hack into your yogurt supply but because so many people reuse passwords! Favorite passwords? You mean like pets? Or your favorite movie? When did that become a thing?
Instead of using a unique password for each website so many people use passwords they remember, and like, over and over. We find one and try it on your important sites – work sites, banking sites. No hacking, just buying.

Credential Security Issues

  • 81% of all hacking related data breaches begin with weak or compromised passwords and logon credentials.
  • Hackers exploit weak passwords and easily guessed or “cracked” passwords (passwords discovered by programs that automatically use every letter/number/symbol combination possible).


Credential & password attacks

a. Brute force attack – Hackers use software that guesses passwords by using every word in the dictionary (also known as a “dictionary attack”) and every random combination of letters, numbers and symbols until a successful match for a website’s logon is found. Estimates of the amount of time it takes to crack passwords of various lengths using brute force methods:
6 characters: 11 hours
7 characters: 6 weeks
8 characters: 5 months
9 characters: 10 years

b. Reused passwords – passwords stored in the clear (unencrypted) from hacked sites are bought by hackers. They are put into large hacking databases to be used with the same user ID/email address on other sites to see if people have used that same password somewhere else.

c. “Credential stuffing” – Using credentials/passwords found or bought on criminal websites, often on the Dark Web. These passwords are often revealed in data breaches from large company’s websites. They are frequently connected to email addresses. Hackers then go to websites likely to have sensitive information and “stuff” different combinations of the same stolen email addresses and passwords they found. If a target has used that email address and that password with another site, the hacker will be able to use those credentials on other sites to gain access.

d. Watering Holes – Watering holes are used in conjunction with phishing to steal logon credentials and passwords. Phishing emails sent to targeted employees with link to website where they are asked to give their user ID and password to log in. Can be a faked, duplicate site of a real site where they might normally use their credentials. Instead, they capture the credentials for later use.

3. Password Security Measures:

a. Use strong passwords for email accounts
i. Weak passwords can be guessed or cracked. The most popular password of 2022?: 123456. The second most popular?: 123456789. Strong passwords = passwords with at least 12 characters using at least 3 categories of characters (uppercase, lowercase, numbers, punctuation marks, symbols)
ii. Consider using passphrases: four or more unrelated random words separated by dashes. Even without symbols and numbers, the level of entropy (degree of unpredictability of a password) in passwords like these is considered high enough to be secure.
iii. Never use words or even proper nouns (names of people, places, or things). Hackers will use password cracking programs that have every word in the dictionary, including proper names etc. Therefore, never use actual words in strong passwords. These attacks are called brute force attacks or dictionary attacks.
b. Passwords must NEVER be reused, even passwords for sites that do not hold any sensitive information.
c. Never use passwords from personal websites on work related sites or networks.
d. Never give passwords to anyone. Technical support or anyone else who will help you with your work account will NEVER ask for your password. Your company’s IT support office typically already has access to your account.
e. Never share passwords with co-workers. Even if you don’t believe your co-worker who asked to share a password for whatever reason has malicious intent, at minimum, you are now responsible for any password handling errors they may make. Any breaches using those credentials – even if
f. Consider using a password manager like 1Password, Lastpass, Dashlane, Keeper or others to generate random and complex passwords. People are not good at generating random passwords for dozens or hundreds of sites and remembering them.
g. Use 2 factor authentication (2FA) at work if your company directs you to, or allows you to as an option. 2FA can be done using your cell phone text, password managers (LastPass, 1Password, etc.), authentication app, or hardware token. [GIVE EXAMPLES OF EACH]. Whether your company uses them or not you should use these on personal accounts.
h. Consider using biometrics (i.e. facial recognition, fingerprint readers, iris scans, voice authentication, etc.) if given the option at your company or on your private devices.
i. AVOID password rotation. Unless this is mandated by your company, recent studies indicate that passwords created under a rule of frequent rotations tend to be easier to guess or crack because employees tend to use passwords that are easy to remember. Instead of creating new passwords they rearrange parts of the old password, which would not hinder a brute force attack. Current studies show it’s better to have a long, complex password and only change it due to a threat of compromise or known compromise.