Top insights for IT pros
From cybersecurity and big data to cloud computing, IT Brew covers the latest trends shaping business tech in our 4x weekly newsletter, virtual events with industry experts, and digital guides.
A virtual private network (VPN) turns public real quick once everybody knows the password.
Password-management firm Specops Software discovered 2,151,523 VPN credentials compromised via malware over the past year in a study released last week.
(In 2023, VPN provider Surfshark estimated that 1.6 billion people use VPNs, tools for providing encrypted remote access.)
The 2 million-plus pull of VPN passwords from the company’s threat-intelligence platform indicates to one pro at the firm that plenty of users aren’t protecting, or even caring all that much, about a valuable network entrypoint.
“If we look at some of the content of those passwords, that’s where we really start seeing where there’s still, unfortunately, a general apathy around security, and password security in particular,” Darren James, senior product manager at Outpost24 (which acquired Specops in 2021), told IT Brew.
This is qwerty. The most commonly used passwords found in the report likely won’t surprise you; they are the usual consecutive numbers and variations of “password” and “qwerty.” The top compromised password—found 5,290 times, according to Specops: “123456.”
And, actually, 5,290 is progress—a “quite low” figure, the Specops team wrote, considering the dataset featured more than 2 million VPN passwords. “This could suggest that end users may have generally been using unique, or even strong passwords for their VPN credentials,” according to the Sept. 17 blog.
Even complex PWs can be compromised, James said, when malware known as keystroke loggers track logins and phishing emails deceive users into giving up VPN credentials.
VPN excess. Self-managed VPNs accounted for 63% of 2023’s remote-access ransomware events, according to a recent report from cyber insurance provider At-Bay.
Check Point Software Technologies’s Chief of Staff and Head of Global Corporate Communications Gil Messing advised IT Brew readers in June to eliminate unnecessary VPN accounts and add safeguards like certificates and multi-factor authentication to required ones.
Once an attacker breaks a VPN or compromises VPN access, they “have visibility into the network,” Messing told IT Brew in June.
Corporate bonus. Specops said it recently added over 193 million compromised passwords—credentials of all kinds, not just VPNs—to its “Breached Password Protection” service.
While many of the VPN-specific findings exposed consumer-level compromises, given the email addresses associated with them, the report also revealed corporate risk. Several discovered passwords meet length and complexity requirements for Active Directory in many organizations.
The Specops researchers recommend blocking some of the suspected stolen corporate passwords, like Abcd@123# and Lordthankyou2.
With VPN passwords, there’s “general apathy” and there’s generally going with the same password—complex or not.
“Ultimately, it comes down to password reuse. Even if you’ve got a super-strong password, you need to be able to check that that password hasn’t become breached or hasn’t been stolen since the last time you’ve set it,” James said.