More than half of Russian Internet users use easy-to-guess passwords. This is happening even as the number of cyberattacks is increasing.
Modern graphical routines can guess up to 70% of domain passwords in just half an hour. Because of this, even seemingly complex combinations can be vulnerable. The head of the cyber intelligence department of the company Bastion, Konstantin Larin, spoke about this.
Therefore, 45% of stolen passwords officially meet the complexity requirements, but in reality are still susceptible to automated selection. Additionally, about 10% of company employees still use basic combinations, which significantly increases the risk to company data security.
Up to a third of serious cyber incidents in Russian organizations are related to password theft. Hackers often use the credentials of privileged users and system administrators – this access gives them many opportunities within business infrastructure.
“It is currently difficult to accurately estimate the total damage from such incidents, but it is calculated in billions of rubles,” said Ideco director Dmitry Khomutov.
Compliance tends to be formal: users add capital letters, numbers and special characters but continue to create passwords based on predictable patterns (dates, basic words, obvious strings like “qwerty”, “asdf”, etc). “Even if the password looks complex from the point of view of security policy, it can still be a dictionary password – for example, in a combination like “Zima2026!!”. Such options with common words, dates and typical character substitutions have long been on the list of scammers and are used successfully in brute force and account recovery,” said Larin.
Computing power is increasing so today passwords consisting of at least 12 characters, including large and small letters, numbers and special characters, are considered protected from brute force, said Sergei Zolotukhin, cybersecurity consultant at F6.
Larin added that database leaks pose a particular danger. Even if passwords are stored in hashed form, an attacker can still recover the original combinations if they are not strong enough.
Furthermore, password reuse often allows criminals to access several services at once – from email to online banking.
An additional risk factor is the lack of two-factor authentication. The probability of successful account takeover when it is disabled will increase many times. This is especially true in cases where passwords have been included in known leak databases.
To increase protection, Larin recommends avoiding predictable combinations and personal data, refusing to reuse combinations across services, and if possible, using a cross-platform password manager that automatically generates and stores trusted combinations. According to the interlocutor, storing passwords in the browser is risky: when malware infects the device, it can extract data from the built-in storage.
According to Zolotukhin, modern software is really effective in preventing password guessing. This can be the use of an anti-bot program when accessing online resources and an obvious method such as limiting password attempts.
The interlocutor added: “Unfortunately, even such simple settings on their resources are often overlooked by service owners.”
Passwordless authentication methods such as biometrics and hardware tokens have become popular, but a large number of login password pairs are available to criminals in already leaked databases or in new leaks.
“This is a truly dangerous time bomb for society, embedded in mass Internet communications. Unfortunately, even the most advanced expert in digital hygiene cannot protect against this threat,” Zolotukhin concluded. “An effective tool to combat such risks can only be the widespread mastery of the skills of working with cyber intelligence data by specialists and the widespread dissemination of systems of this type in all organizations that are truly interested in customer data.”
