As we approach Super Bowl LVIII, with the Kansas City Chiefs and the San Francisco 49ers vying for championship glory, a different kind of competition is heating up in the realm of cybersecurity: the battle against compromised credential attacks. This critical contest unfolds not on the field but in the digital domain, where the integrity of user credentials and sensitive data is under constant threat from cyber attackers.
Professional sports-related passwords are pretty common, which makes them a great tool for hackers to exploit via credential stuffing. We queried our extensive database of compromised credentials to determine which team-related passwords are most frequently exposed. These passwords were collected by Enzoic’s threat research team and included in their continuously updated proprietary data platform to protect vulnerable users and organizations as quickly as possible. The most common 49ers password was, as you may have guessed, ‘sf49ers’ with over 119,000 instances seen, while the top Chiefs password, ‘kcchiefs’ comes in at just under 50,000. Here are the top-ten most seen passwords for each team:
| Rank | San Francisco 49ers | –vs.– | Rank | Kansas City Chiefs |
|---|---|---|---|---|
| 1 2 3 4 5 6 7 8 9 10 |
sf49ers sf49ers1 sf49erss sf49ers! mysf49ers sf49ers16 gosf49ers 1sf49ers sf49ers01 thesf49ers |
1 2 3 4 5 6 7 8 9 10 |
kcchiefs kcchiefs1 kcchiefs88 kcchiefs58 kcchiefs27 kcchiefs kcchiefs01 kcchiefs12 kcchiefs69 kcchiefs11 |
If you followed our post last month about Taylor Swift-related passwords, you can see some similarities, such as the use of particular numbers after the “root” part of the password. Often this root is a popular celebrity name or team name, so seeing these patterns in the data allows hackers to make better and better guesses. We can see that they are in fact actively doing this at a very high level, thanks to our own live honeypot that collects credentials in real time as credential stuffing hackers attempt to gain access to the fake company’s system. We can watch as they combine details from the company’s website, common passwords, and these types of patterns to create tailor-made guesses to target users, customers, and organizations.
This is why Enzoic’s fuzzy matching features can help protect your business.
Compromised Credentials and Account Takeovers
It’s easy to think that people might use these passwords for only their personal accounts and your business is safe, but studies show that password reuse across business and personal accounts is a huge problem. This is why broad-spectrum compromised password coverage is essential- not just from previous breaches related to your industry or software stack. All it takes is one guessable password for, say, a corporate email account to allow hackers to infiltrate an entire organization, and access brokers are capitalizing on these vulnerabilities every day. These credentials, when stolen or exposed in data breaches, become tools for bad actors aiming to execute credential stuffing attacks, gain unauthorized access, and orchestrate account takeovers. The exposure of such credentials, often through data breaches, places personal and organizational data at significant risk.
Attackers utilize various techniques, including credential stuffing and brute force attacks, to exploit valid credentials and compromise accounts. Even a simple entry vector like a compromised account can become a massive incident as threat actors escalate their initial access to more privileged permissions and sensitive data.
Credential attacks, particularly credential stuffing and brute force attacks, area common method for attackers to compromise user accounts. Organizations face the challenge of defending against these attacks, which aim to exploit weak passwords and users’ frequent reuse of credentials across accounts, whether business or personal. Security teams must prioritize the protection of login credentials to prevent unauthorized access and protect sensitive information.
Aligning with NIST Guidelines for Enhanced Security
In response to the evolving threat landscape, the National Institute of Standards and Technology (NIST) has updated its guidelines to fortify defenses against compromised credential attacks. These guidelines emphasize the elimination of outdated security practices and the adoption of measures that genuinely enhance the security of credentials.
● Simplifying Password Complexity: NIST recommends moving away from arbitrary complexity requirements for passwords, which often lead to weaker security practices, such as the use of common passwords across multiple accounts. Historically, the logic behind complexity requirements was straightforward: more character types should mean more possible combinations, making passwords harder to guess. However, this assumption overlooks human psychology and behavior patterns. Faced with the need to remember difficult passwords, individuals often resort to predictable strategies, such as using common substitutions (e.g., “pa$$word”) or repeating patterns (e.g., “Password1!”). These practices make passwords easier to guess by attackers using sophisticated guessing algorithms.
● Screening Against Known Compromised Passwords: Organizations are urged to screen new passwords against databases of known compromised passwords, reducing the likelihood of credential compromise. Cyber attackers frequently rely on databases of stolen credentials obtained from previous breaches to launch attacks on various platforms. This method, known as credential stuffing, is effective largely because many users tend to reuse passwords across multiple accounts. When organizations fail to screen for these known compromised passwords, they inadvertently allow attackers an easy way to gain unauthorized access. Screening new and existing passwords against these databases helps ensure that the passwords protecting user accounts are not already in the hands of bad actors.
● Removing Time-Based Password Resets: NIST’s updated guidelines mark a significant departure from the old-school belief in the efficacy of regular password changes. The premise for this change is rooted in a simple yet profound understanding: frequent password resets can lead to “security fatigue” among users. When users are forced to change their passwords regularly, they often resort to creating weaker, easily remembered passwords or make minor alterations to their existing passwords—practices that can significantly diminish the overall security of user accounts. The move away from mandatory password resets is based on a deeper insight into user behavior and cyber threat mitigation. Instead of focusing on the frequency of password changes, NIST recommends emphasizing the creation of strong, unique passwords and employing additional security measures such as multi-factor authentication (MFA). This approach not only simplifies the user experience but also fortifies security by reducing the likelihood of credential compromise.
Implementing Strong Cybersecurity Measures
For organizations and security teams, the adoption of NIST’s recommendations is a pivotal step toward mitigating the risks highlighted by the prevalence of compromised credentials. Implementing best practices, such as strong password policies, can significantly enhance the security posture of organizations, protecting against the initial access strategies of attackers and reducing the risk of privilege escalation.
The Super Bowl of Passwords serves as a reminder of the ongoing battle to secure our organizational infrastructure against compromised credentials. Organizations must remain vigilant, employing advanced security measures like continuous credential screening and adopting comprehensive, sophisticated security strategies to defend against the myriad of attacks launched by threat actors.
As we enjoy the spectacle of Super Bowl LVIII, let’s also commit to reinforcing our cybersecurity defenses. By adhering to NIST guidelines and implementing robust security measures, we can protect sensitive data, user credentials, and organizational systems from the widespread threat of cyber attacks. Together, through awareness and proactive defense, we can ensure that our digital domains are protected against the tactics of bad actors, securing our online presence against unauthorized access and compromised account takeovers.
AUTHOR
Dylan Hudson
Dylan leads the Threat Research team at Enzoic, developing and implementing cutting-edge threat intelligence infrastructure to help protect users and organizations from cyberattacks. When not at work, he can be found hiking and biking in the Rocky Mountains or playing traditional Celtic music on various stringed instruments.