Passwords continue to be the top weakness exploited in penetration-testing engagements, with the collection of credentials a major part of internal, red team, and social engineering engagements, security firm Rapid7 states in a report published on Aug. 26.
While the increase in remote work has focused attackers on virtual private networks (VPNs) and cloud services in 2020, penetration-testing data from last year shows that many compromises were already focused on credentials as the best way to gain access to cloud infrastructure, the vulnerability management firm stated. Penetration testers' top technique for obtaining passwords included password spraying, offline password cracking, and man-in-the-middle attacks, with password spraying the top technique for external attackers, the company states in its "Under the Hoodie" report.
Too many companies continue to rely on users to pick good passwords and to not reuse them across services, and not enough companies have deployed multifactor authentication, says Tod Beardsley, director of research for Rapid7.
"You are entrusting your humans to pick passwords, and that is a way to tears," he says. "We have all these options for picking passwords ... so let the machine pick your passwords. While that puts all your eggs in one basket, we have gotten really good at protecting that one basket."
Passwords have been a perennial problem for both companies and consumers, and attackers have consistently focused on collecting credentials. Using data from 206 engagements conducted during the 12 months to June 2020, cloud passwords become weaker
