The network security provider Fortinet announced yet another breach disclosing VPN login credentials for approximately 87,000 of its devices. What is of greater interest is rather than just another data leak, the data contained some interesting ‘gems’ about the robustness of user passwords.
The information about passwords comes from researchers from Specops Software, who have analyzed data from the breach, identifying the top 10 passwords exposed from the leak. What is interesting about the list is the lack of robust security round the passwords. In other words, they are easy to hack.
The top ten passwords are:
- Temporal2020 835
- 123456 793
- asdf123 393
- Juzgado2020 371
- pass@123 361
- Password1 338
- macaw777 323
- P@ssw0rd 290
- U-SG-SSL-General_User 277
- 12345678 217
These are examples of weak passwords. These are short, common, a system default, or something that could be rapidly guessed by executing a brute force attack using a subset of all possible passwords.
Weak password does not always mean length and the characters used, it also means the guessability. As n example, ‘Name@12345’, it looks quite complex password but can be guessable.
Weaknesses often arise because many organizations that do impose complex password requirements, the requirements are not always robust or complex enough to reduce the success of attackers.
Messaging Digital Journal with the information, Darren James, Product Specialist and Head of Internal IT, Specops Software, discusses the nature of the leak and the weaknesses around the passwords.
With the leak itself, James explains: “This leak is unfortunate but not completely surprising. We know that ransomware attacks are continuing to rise and that the VPN password is a popular path to deploy ransomware. We saw it with the Colonial Pipeline attack, and now we see it here with this VPN leak.”
Moving onto the subject of the fragility of the passwords, James says: “VPN passwords are still vulnerable and we see from this data that people are still not choosing strong passwords. Even with ransomware, organizations need to remember the security basics – enforce strong passwords checked against a breached list.”