Hello World 👋
I’m your friendly neighborhood cybersecurity systems engineer – aka the person who has to explain to your CEO for the third time this year why hackers keep strolling into your critical systems like it’s a Costco with free samples. Frankly, if I had a bitcoin for every major data breach caused by passwords like Password123! ... well, I’d still be broke (thanks volatility), but you get the point. Nothing makes me want to faceplant into my keyboard more than seeing a multimillion-dollar operation taken down by the digital equivalent of leaving a key under the doormat.
Let’s discuss the leading cause of preventable data breaches: Simple or stolen login credentials. Yep, not zero-days, not nation-state ninjas, not AI-powered mega-malware. Just absolutely abysmal login hygiene.
Data Breaches Are Made Possible by People Who Should Not Be Left Alone with a Keyboard
Exhibit A: LinkedIn, 2012 – Though this breach occurred eons ago, it continues to be the gift that keeps on giving. Hackers were able to steal 117 million passwords because they were stored using the cryptographic strength of a damp Kleenex. When the passwords were leaked, we all were shocked to learn that thousands of people used “123456”, “password”, “letmein”, and my personal favorite, “LinkedIn.” This revelation literally spawned the whole password cracking industry.
Moral: If your password commonly appears on coffee mugs, don’t use it.
Exhibit B: Fortnite, 2019 – Millions of gamers’ accounts got pwned via simple credential stuffing schemes (using the same 50 terrible passwords until one works). Additionally, the attackers discovered that many reused passwords from other leaks could also open doors at Fortnite.
Moral: If you use the same password for Fortnite, Netflix, Gmail, and your bank, the attackers should thank you for your laziness.
Exhibit C: Colonial Pipeline, 2021 – This attack caused severe fuel shortages, including at gas stations and airports. The East Coast ran out of gas because someone reused a password from another site that had already been breached. That’s right, a simple password got scraped elsewhere and was reused. Oh, and Colonial also didn’t even have multi-factor authentication enabled.
Moral: Reusing passwords is like having the same toothbrush for yourself, your kids, your dog, and cleaning the drain. Not hygienic, and not smart.
Why This Keeps Happening (Actual Human Behavior)
People pick passwords they can remember. Translation: “I use my dog’s name plus an exclamation point.”
Password reuse is rampant. Hackers truly love this! It’s their version of an easy button.
Lack of MFA. Not turning on multifactor authentication because it is cumbersome is like refusing to wear a seatbelt because it wrinkles your shirt.
Poor credential management. Don’t use shared accounts, sticky notes, or spreadsheets of passwords labeled “do_not_share.xls.” Some organizations actually only have one single admin password that is shared like it’s a Netflix login.
Phishing continues to work really well. An attacker simply sends a fake login page or even a “security check”, then the users type in legitimate credentials and the attacker logs in for real. It’s not rocket science. In fact, it is much more effective than rocket science.
How to Fix This Before I Lose the Rest of My Hair
Use a password manager. Let it remember your 40-character caps/lower-case/numeric/special-characters gobbledygook passwords. And no, writing them in your Notes app is not a password manager – nice try.
Enable MFA everywhere. SMS MFA is okay. App-based MFA (an authenticator) is even better. Hardware keys will elevate you to the “sleep like a baby” level.
Stop reusing passwords. Your gaming password does not belong in your financial life. ‘Nuff said.
Rotate credentials. Not every 30 days, we’ve stopped that madness. But change passwords if a breach occurs, or if you suspect phishing, or when a critical employee leaves, or if your passwords were already in use when Obama was still in office.
Don’t share accounts. If five people share an admin password, nobody will actually know who broke the system (and yes, someone will break it).
Monitor for compromised credentials. Use tools that compare enterprise logins against known breach dumps. If any of your organization’s passwords show up on the dark web, do some immediate resets.
Train users regularly. PowerPoint alone won’t save you. Humor, memes, real examples, and some mild shaming? Now we’re talking.
Final Thoughts
Simplistic or stolen login credentials cause more serious breaches than any other spooky hacker movie villain ever will. Not because hackers are geniuses, but because people keep using “ILoveCoffee1” as the master key to their entire digital lives. Let’s all agree to stop doing that. Let’s remind our customers to stop doing that too.
Your cybersecurity team will thank you.
Stay tuned for more nerdy columns about my experiences as an SE.
*Apologies to Anne Robinson and Jane Lynch for borrowing their catch phrase!
