An independent cybersecurity researcher claims to have uncovered a breach of an unnamed database containing 184 million records, with exposed information including emails, passwords, and login links.
The kicker is that the database was all in plain text and required no password to access.
Let’s count how many basic account hygiene rules this breaks—all of them.
Yes, more snarkiness, but this type of ineptitude must be called out. Especially because the cure for this problem is extremely simple: Use a complex password that goes beyond the basic eight characters, with one capped letter and a symbol.
Best Practices for Individuals and Organizations
Trustwave researchers warn that an eight-character password can be cracked in under a day using brute-force techniques. Simply increasing the length to 10 characters can extend that brute force timeline to —potentially hundreds of years. Adding complexity—such as uppercase and lowercase letters, numbers, and symbols— goes even further .
Of course, remembering something like “dlkjskljfo8w!$^@@” isn’t easy. That’s why passphrases are a smarter choice. Think of a line from your favorite song, a historical quote, or even something you say to your kids, like: “Rakingleavesbuildscharacter”.
Not sure if your password or passphrase is strong enough? Free tools like Have I Been Pwned and other password strength checkers can estimate how long it would take to crack a password. For example, a complex passphrase like the one above could take centuries to break.
Key Best Practices for Password Management:
- Change passwords regularly—ideally every 60 to 90 days, especially for sensitive accounts.
- Never reuse passwords across multiple accounts.
- Use salting and hashing for secure storage. IT administrators should always add a unique “salt” to each password before hashing, making it far more difficult for attackers to reverse-engineer passwords from leaked data.
Building Strong Corporate Password Policies
People often use the same password across personal and professional accounts. Employers can help mitigate this risk by enforcing strong password policies. These should include:
- Minimum complexity requirements
- Restrictions on passwords that include company-specific information (e.g., “Nike12345”)
- Regular password audits to identify and address weak credentials
Cybercriminals frequently target less tech-savvy employees. Identifying and educating these vulnerable users can help close security gaps.
Organizations and individuals alike should monitor for compromised credentials using tools like Have I Been Pwned. Proactive checks can help contain damage if a breach occurs.
The Critical Role of Multi-Factor Authentication (MFA)
Above all, enabling multi-factor authentication (MFA) adds a powerful layer of security. MFA requires a second verification step—such as a code sent to your phone—ensuring that even if a password is compromised, your account remains protected.
The latest breach of 184 million records again shows the importance passwords play in an organization’s security. But, one must remember it’s also manageable with the right steps.
Remember to use long, complex passphrases, rotate your credentials regularly, implement secure storage practices, conduct audits, and enable MFA. These simple yet effective measures can dramatically reduce the risk of compromise for both individuals and organizations.
Oh, and One More Thing
There is still one more step to ensure proper password usage is in place at your organization. Penetration tests. A pen test team will use the same tactics as a threat actor to gain access, including brute forcing passwords, searching for weak passwords and looking for unprotected accounts.
This is an area where Trustwave is well-suited to lend a hand. Trustwave SpiderLabs’ penetration testing program is an end-to-end solution that leverages a team of experts to identify, prioritize, and eradicate weaknesses in your environment.
Not only can SpiderLabs test all types of infrastructure, such as applications, systems, and endpoints: IT, OT/IoT, and physical, the teams can customize the testing scope based on your unique requirements – such as passwords.
Additionally, Trustwave offers pen-testing-as-a-service, which gives a client greater control over the tests and their security budget.
Once an issue is identified, the team will test and re-test to resolve identified weaknesses in your environment.
