What’s going on with Online Password Security

On May 7th, the US suffered a cyberattack against its colonial pipeline system based in Houston, Texas. Attackers managed to infiltrate the pipeline’s network and infect it with ransomware, a computer virus that encrypts whatever data is there and makes it inaccessible. They succeeded in stopping the operations for five days until May 12th and demanded a 4.4 million US dollar ransom paid in bitcoins. Even though it’s highly advisable never to pay the ransom and try to restore services in some other way, as this was a crucial part of the infrastructure for the region, the ransom has been paid. There are many other types of vulnerabilities found in web applications that can be avoided by taking some measures.

What might seem unrelated at first glance, earlier this month, Cyber News reported about the biggest leaked password combination online. The dataset contains a massive 100GB text file that holds 8.4 billion passwords. It’s not a data leak but rather a compilation of many previous leaks into one document, making cybercriminals’ jobs way more manageable. It’s named “RockYou2021”, giving credit to the “RockYou” data breach in 2009 and proving that this is not a new data leak.

So how are these two related? It was later discovered that a pipeline hack exploited a VPN account with a weak password. VPN is a Virtual Private Network, and it’s cybersecurity software that companies use to manage network entries. For example, if a person wants to connect to a company’s intranet while being outside the network, they can use a VPN to create a tunnel for safe communication. In this case, it wasn’t a VPN vulnerability; cybercriminals exploited a weak password that was supposed to protect the account. These can be regarded as human error circumstances, but the damages are devastating.

Moreover, it was discovered that the password in question had been leaked online, and it was included in the “RockYou2021” list. It’s unclear whether cybercriminals obtained it from this list or somewhere else, but with a lack of two-factor authentication, that’s all they needed to manipulate the VPN account.

Of course, there had to be a lot of preparation to carry out an attack of such scale. Imagine how much work and know-how it takes to hold a four-million US dollar ransom and remain untraceable. These unfortunate circumstances revealed a huge cybersecurity issue—password management.

As mentioned previously, two-factor authentication was not in place, which could’ve prevented this from happening. With two-factor authentication, when somebody tries to log in to a service from an untrusted device (or any other device that logs into the service for the first time), they are asked to provide a second authentication after inputting the password. Usually, it’s a text message to the phone or a confirmation code in a personal email. This way, if hackers want access to an account, they will also have to hack an email or a smartphone, smart TV which complicates the process tenfold.

Another solution would be a password manager. A relatively new password manager NordPass has a few features that can help in such a situation. Firstly, the issue with password management is that there are so many passwords these days. Twenty years ago, you had to remember your email password and maybe some online forums you hang out with. These days there are so many services – like Steam, Spotify, Netflix – hidden behind a password that it’s impossible to remember them all by heart.

Moreover, it’s not enough to create a simple, easy-to-remember password like “qwerty”, “password123” because they have already been leaked online. And it’s not an option to use your name and surname as a password because it’s easy to guess. So how does NordPass solve the issue?

It works by creating an encrypted vault for your passwords. Each password is encrypted and can only be deciphered using your personal key. It runs a strict zero-knowledge architecture, which means that absolutely nobody – not even developers of WordPress itself – can access your vault. It can be done only with your personal decryption key. You can create passwords of up to 60 symbols, and you can have as many different passwords as you require.

It also offers a premium data-breach scanner. This tool will scan your vault and alert you which passwords have been leaked online so that you can change them immediately. As you can see, both of these might have helped in this situation, and maybe a password manager will not repel professional hackers. Still, for your personal online safety, it is a considerable improvement.