Another day, another password manager breached. Last week, Gen Digital informed their customers that hackers have breached their NortonLifelock accounts. According to reports, around 6,000 customers so far have been impacted by this breach with the likelihood that not only were NortonLifelock accounts breached, but their password manager accounts as well. Gen Digital believes the breach occurred because of a third-party error, while the attack used was a credential stuffing attack.
Credential stuffing attacks
Credential stuffing attacks are cyber attacks focused on using a known username and password on multiple online accounts to gain unauthorized access. According to OWASP.org, “many users will re-use the same password and username/email, when those credentials are exposed (by a database breach or phishing attack, for example) submitting those sets of stolen credentials into dozens or hundreds of other sites can allow an attacker to compromise those accounts too.”
The idea is to find as many user accounts associated with the breached email/username and password as possible. Credential stuffing attacks highlight the importance of using a password only once for one account.
Password best practices
Passwords still play an important role in protecting our accounts, despite the increase in biometrics and push notification sign-ins. Your passwords should be:
- Long (16 or more characters)
- Complex (uppercase, lowercase, special characters, passphrases)
- Unique (never reused, never used on multiple accounts)
Passwords should also not contain any searchable data, for example if I can use your social media pages or Google to find information about you, none of that information should be part of your passwords.
Password managers still recommended
Despite some recent successful attacks against password managers, they are still highly recommended for use. I will still use them and encourage every reader as well. It is true, they are not foolproof and 100% secure (no security solution is), but they are still very valuable tools to help create, store, and use strong passwords.
What you can do
Still use your password managers as they help organize your passwords and help you create long, complex, and unique passwords while making it easier to access them. With that said, there are a few extra steps I recommend you do as well.
- Use multi-factor authentication on any account that allows it, including your password manager
- Make the password you use to access your password manager long, complex, and unique
- Monitor your passwords and update them regularly
To learn more about the Michigan SBDC’s training offerings checkout our Training + Events page!