3 Myths About Threat Actors and Password Safety

July 16, 2021
| |
2 min read

You’ve seen the memes and the warnings on social media — answering questions about your life history is ruining your password safety. It’s giving the bad guys the information they need to figure out your passwords and get the answers to your security questions.

But is that true? Are people lurking on social media waiting for you to reveal your favorite school teacher and your prom date? Someone with a grudge against you may use that information to do some damage, but in general, cyber criminals aren’t micro-targeting individuals. Rather, they are more likely to use a social engineering attack, like a malicious video or phishing email based on your social media algorithms, to gain access to your network and data.

No one should share sensitive information about themselves (which can be used for many other nefarious reasons). But this being a direct route to a password is one of the many myths that swirl around password safety.

Without a doubt, password security is vital for an organization. Access credentials, including passwords, are the gateway into your network. Yet, the password continues to be a security hot spot. Employees are usually the weak link in credential failures. But, that could be due to a lack of awareness of how threat actors actually harvest password information. Once these myths about passwords are disputed, organizations can improve on their security awareness training surrounding password hygiene.

Password Safety Myth No 1: Never Write Down Your Password

Fact: For decades, the most common advice surrounding password security was to never write it down. While you don’t want to tape your password to your computer screen and then share a photo of it on social media (like one congressman did), writing down passwords and storing them in a safe place is fine. Threat actors use more sophisticated methods such as keylogging or brute force password attacks. The important thing to remember is most cyber criminals want access to as many systems as easily as possible. One password at a time at a local level doesn’t matter to them.

Myth No 2: Using Text Messaging as Multifactor Authentication (MFA) Security is Best

Fact: Using text messaging for MFA is certainly easiest for most people, but it isn’t the best way to ensure password safety. A new attack vector is your mobile phone number, which threat actors steal through SIM swapping.

An attacker looking to do a SIM swap will contact your phone provider and pretend to be you. Your number is then linked to the SIM card used by the bad guy. They will then have access to any MFA that comes to your phone as a text, as well as any of the personally identifiable information on your phone. Other MFA options such as biometrics or authenticators are a better option.

Myth No. 3: I Don’t Need Password Safety Tips; My Passwords are Unique and Secure

Fact: With billions of passwords, it is unlikely that any password is truly unique. Most users create ‘unique’ passwords by changing letter cases or adding a symbol, and they do this after alerted the ‘old’ password was breached. Threat actors use techniques like password spraying to try millions of common passwords to gain access into a network. And yes, while your passwords may indeed be unique and hard to crack, it only takes one bad password to gain access to the entire system.

The more users know about how threat actors acquire passwords should go a long way in improving password safety. Debunking myths is the first step.

Sue Poremba

I began writing within the branded content/content marketing space in 2011, including articles, blog posts, SEO, Q&A, and profiles. My specialties are cy...
read more