Do we live in a world of privacy? If only this was the case my friend.
The reality is that there are millions and millions of leaked usernames and passwords available online to download at anytime. Due to the nature of how people manage their never ending password list, these breaches are used in a high volume of corporate or business attacks.
Pertinent examples
People are not very creative when it comes to thinking up an inline password.
For example, Bob Benjamin works at Umlindi Incorporated for the past 10 years. Bob’s corporate email address is [email protected] and his personal is [email protected]
Bob uses the same password for all accounts with small variances to keep things easier, such as adding an ! or # to a strong password let’s call it B0bi$th3best! so his variances are B0bi$th3best# or B0bi$th3best&&
That’s super easy to manage and ensures that your password is different for each site and therefore you should be safe.
Bob didn’t count on a site being breached and his password to be stored in plain text or very week encryption. So, Bobs password is now in a database dump online and available for all to see.
The next step
What hackers now do is they match up that Bob works for Umlindi and a Rainbow table on his password to add in special characters and phrases.
They then use brute force to get into his business account and later monetise that breach by either exploiting Bob directly or gathering more information to exploit the company later.
Resonating concerns
I’m sure this problem can resonate with millions of people worldwide. But all is not lost. Here are some ways you can immediately resolve this situation
- Get a password manager and update all passwords to be random characters;
- Choose very long random sentences for master, email and business passwords you type daily. For example, this is a extremely strong memorable password for Bob. “My name is Bob and I love to fly fish and drink root beer on the weekends!” or “Bob fish weekends must drink root b33r!”;
- Setup a Multi Factor Authentication (MFA); and
Check to see if your password has been breached at https://haveibeenpwned.com/ (They have an API too)
And then why you all came to this blog. Check out Azure AD Smart Password Lockout & Dynamically banned passwords which will not allow for breached passwords to be used and newly found passwords to be locked out.
To do this log into Azure Portal – https://portal.azure.com
Search for Azure AD Identity Protection –
And start by assessing the risks and enabling polices and alerts.