author photo
By Devon Warren-Kachelein
Tue | Oct 12, 2021 | 3:15 AM PDT

Good guys in cybersecurity are like Superman, while APT hackers might be more like Lex Luther.

Not every bad actor will fall into the elite, intelligence-of-a-supervillain-mastermind hacker category, though.

Some will be more like run-of-the-mill petty theft criminals, seeking easy access into an inbox.

This is similar to how some real-life thieves check for open car doors to steal loose change in a glovebox. Weak passwords are the primary way a cybercriminal can do this. 

While superheroes might offer superior physical strength, using your favorite hero's name in your password configuration might be doing more harm than good. 

Mozilla shared this fun study, rehashing an earlier one focused on Disney princess names; this time, the subject was superhero names. 

Overall, the findings were direct and in alignment with other studies from years of panning superhero passwords.  

Mozilla's findings for the weakest superhero passwords

Weak passwords are low-hanging fruit to cybercriminals. Creating a weak password is the equivalent of hiding a house key under the doormat: Chances are, nobody will look if you live in a safe neighborhood, but under the wrong circumstances, it could leave your entire home vulnerable to theft.

And on a similar level, while superheroes may be known for their superhuman strength on the screen, when it comes to password strength, going with batman123 as a password could leave the Bat Cave vulnerable to a data breach. 

Superman fans saw a higher level of breaches than Batman fans, and fans of Captain America were likely the safest, according to this chart: 

Superhero + number passwords are still topping the charts 

This type of thing has been going on for years. In 2018, the SentinelOne blog ranked superhero names combined with a number as one of the worst passwords. In a picture, they broke down how malicious hackers can and will test password combinations to steal your data with software like Regex.

A screenshot image of regex number

Programs like Regex are relatively simple to use, and hackers working within crime circles to sell data on the darknet will be familiar with how to use software like this to break into your online accounts.  

Mozilla moves towards multi-factor authentication 

The study completed by Mozilla coincided with an announcement about embracing a new feature to keep data safe from cyber threats.

In an article reported earlier by SecureWorld News, we covered Microsoft's new "passwordless" technology, which is actually multi-factor authentication (MFA). Apple, Samsung, and many other companies creating smartphones and other devices have also released passwordless technology, with facial or touch recognition, making it more difficult to hack. 

In the case of Mozilla, users can follow the simple step-by-step tutorial to set up facial or touch authentication in the Firefox browser (in the blog post from the superhero study linked earlier in this post).

Most organizations are moving away from single-factor authentication,  and Mozilla, like Microsoft and many others, is embracing this new technology as a safer, more convenient way to stay ahead of a breach. 

Rhett Saunders, Director of Cybersecurity and Compliance for Focus on the Family and SecureWorld Advisory Council member, tells us hackers seeking easy access will target organizations that are not moving towards MFA. 

"Much of cybersecurity is like this: I don't have to outrun the bear, I just have to outrun you.

In a sense, by going passwordless and effectively utilizing multi-factor authentication, especially where there was no MFA at all, a company will make all other companies that use single-factor authentication, which just requires someone to enter a username and password, look like easy prey.

For the majority of threat actors of the world, they are still like everyone else, in the sense that they operate based on the principle of least resistance. While the amount of attacks will not lessen anytime soon, threat actors will merely move to companies that are doing less in the space of MFA."

Where are the weaknesses with MFA technology? 

Saunders says passwordless is becoming more mainstream and a great number of large corporations are implementing this strategy. 

"It is easy to claim passwordless in the context of one application here or there, or even in the context of consumer-grade Mac and Windows laptops, where you just need to use a biometric to authenticate to the machine via a fingerprint or face identification through Microsoft's Hello. Even smartphones like Apple and Samsung have gotten really good at going passwordless through touch or face identification."

For Saunders, however, it is not so much about the holes in the technology, but the larger picture of scaling it within organizations.

"It is something completely different when you need to manage this at scale and for a complex enterprise where there are many more personas than just a consumer end-user on a personal laptop or smartphone. Now, we need to incorporate something called authentication that integrates with access on the other side.

Think of authentication when you allow someone through the front door of your own home. If the person you trusted to enter your home asks to go into another room in your home and you say yes, this is access. In technology, rather than trusting what we just see when someone shows up, what can go wrong is we might be able to get people into the front door easily, but it may be more difficult to grant access to the other rooms using the same information provided at the front door.

This is where the challenge lies, and having Single Sign-On (SSO) tools like Okta or Ping will help, but will not solve for every use case, especially if that application does not use SSO. Also, add on top of this Palo Alto's Global Protect, Cisco ISE, and MacOS Filevault, it quickly becomes complicated, because we just added more locks to the front door.

Do not underestimate the complexity of your use cases and the non-homogenous aspect of one's environment if you are using Linux, MacOS, iOS, Windows, SaaS, and the list goes on."

Saunders suggests your organization might want to approach things based on prioritization:

"Try to focus on the most-used devices (e.g. Windows or MacOS users) and work from here to address the smaller use cases. We are starting with MacOS and Windows users."

Like anything else, hackers are always finding ways to beat security measures. In newer technology, hackers are finding ways to spoof biometric information, including copying fingerprints from high-resolution images and other methods. 

While technology may continue to get stronger, at the end of the day, there is one thing organizations and consumers alike can keep in mind: choose strong passwords, do not use the same strong password on multiple devices, and learn more about current trends such as MFA to make a hacker's job a little more difficult when they are trying to access your data. 

[RESOURCE] Rhett Saunders will be speaking about going passwordless at the SecureWorld Rockies virtual conference on November 17.

Comments