New account passwords, which are widely used during onboarding processes, are plagued by easy-to-guess configurations that leave organizations vulnerable to threats.

These were the results of a Specops study that analyzed more than 651 million passwords compromised by malware. The study narrowed down the list to 120,000 passwords commonly used for new team members.

“User” topped the list, appearing 41,683 times, followed by “temp”, used 28,469 times, with “welcome” rounding out the top three. Other popular new account passwords included “guest”, “starter” and “logon”, underlining the pervasive weakness of these types of security keys.

“Many end users will reuse their temporary password or simply add numbers or special characters onto the end to meet an organization’s password policy,” the study said.

Temporary passwords pose a significant risk because users tend to either retain them or make minor alterations rather than promptly replacing the password with a stronger alternative. This behavior increases vulnerability to attacks, as attackers can exploit weak or common passwords through brute force or cracking tools.

Additionally, password reuse across various platforms further heightens the risk of compromise, particularly when users employ work passwords on less secure personal devices or websites.

Recent high-profile breaches underscore the dangers of weak temporary passwords. Several notable incidents serve as stark examples.

• In Pennsylvania, Iranian hackers infiltrated the Aliquippa Water Authority, exploiting a default password (1111) that was never changed.
• Similarly, SolarWinds fell victim to a massive cyberattack, with attackers accessing its Orion platform using the easily guessable password ‘solarwinds123’, publicly available on GitHub.
• Cloud-based security camera company Verkada suffered a breach, exposing live feeds from over 150,000 cameras, attributed to hackers using a default “super admin” account password.
• The New York City Law Department faced a breach when hackers exploited a vulnerability in its Pulse Secure VPN.

Darren James, senior product manager for Outpost24, Specops24’s parent company, said he was “amazed” to see how prolific default or temporary passwords were.

“Even though compromised passwords have been one of the top reasons for data breaches for many years, these passwords that are set usually defined by admins and IT professionals, fall well short of the standards they should be at,” James said. A first-day password should ideally be long and random and not transmitted over insecure channels such as voice, email, or SMS.

“What we propose is that you remove the need for sending this first day password at all, and instead use other ways of verifying the user initially, and then letting the user set their own first password instead,” James added.

The report also noted the threat to passwords in Active Directory, which serves as a centralized database for managing network resources and user identities in a Windows environment, is exacerbated by the onboarding process for new users within organizations.

Active Directory has been around a long time, and it’s still used as the primary identity platform for most organizations today, whether they use on-prem or cloud-based IT services, James noted. “Back at the beginning of the century, we were still using dialup modems, there was no such thing as social media and people had very little online presence or passwords to remember,” he said. “The problem we have now is that Active Directory’s password policy hasn’t changed in 24 years, but the world has.”

Most people have adopted an online presence of some sort in their personal or work lives. “We publicize ourselves digitally for the world to see,” James said. “If you were to look at my social media profiles, you might easily find out what my kids’ names are, where I go on vacation, what car I drive, when my birthday is, and what my favorite singer, film or book is.” Those data points help threat actors build a list of words a user might use.

“Don’t forget: Users also might be tempted to use the name of the company, the department they work in or the name of a product or service the company provides,” James said.

With that in mind, it’s important for IT teams to implement strong password policies that block these easily guessable words.

James advised organizations to enforce a strong passphrase (three random words) policy and to continuously scan their users’ passwords to ensure that the “amazing unique passphrase” they set last year is still unbroken today.

Photo credit: John Schnobrich on Unsplash