Credential harvesting remains a constant threat to digital security. As more services find their way online, a deluge of passwords is needed to keep up with different services used daily, leading to insecure password practices, including password reuse, simple passwords, writing and storing passwords in easy-to-find locations. These practices seem to be a reasonable way to keep track of a growing mountain of passwords; however, they provide a significant advantage to threat actors looking to score easy access to online accounts.

Password reuse and the use of common or simple passwords each have their own set of insecurities. In reusing passwords, once a threat actor has successfully acquired a password for one account, they can attempt to pair it with additional accounts through credential stuffing. Simple, short, and easy-to-remember passwords are quickly cracked in brute force or dictionary attacks. This includes seemingly “secure” passwords based on the uppercase, lowercase, number, and special character requirements, such as “Summer2025!.” By requirement standards, this is a secure password; however, it is a common password as users are often forced to change their passwords every 90 days, corresponding to the seasonal changes, and it’s an easy-to-remember password. Additionally, while writing passwords down in an easy-to-locate notepad or sticky notes may protect from online attackers, this still leaves in-person theft or misplacement.

Users can take steps to help keep their accounts secure. Multi-factor authentication (MFA) provides an additional verification step in the login process. The most secure options for a secondary authentication method are an authenticator app, biometrics, or a hardware token. A password manager is also recommended to prevent password fatigue, as it securely stores user credentials. While browser storage is appealing in its ease of use, a threat actor could exfiltrate saved passwords if they gain remote access to the device. Many password managers come equipped with password generators, which can assist in creating a unique and complex password for every account. Users should ensure they have a very complex master password to access their vault and that a strong MFA option is also enabled.

While secure password practices help to prevent credential loss, knowledge of the ways passwords are stolen can also help prevent attackers from gaining access. As mentioned, brute force attacks attempt to use every possible combination of letters, numbers, and special characters to access a user’s account. Brute force can be a slow and loud process, so hackers may employ dictionary attacks, which use a compiled list of commonly used and previously stolen passwords to search for a match. Phishing attacks are a common way for threat actors to attempt to steal credentials from unsuspecting users. Users will be guided to a malicious website, often with the goal of either tricking the user into downloading malware, such as an infostealer, or entering credentials that will be accessed by the threat actor using Adversary-in-the-Middle (AitM) tactics.

Recommendations

• Avoid clicking links and opening attachments in unsolicited emails.
• Confirm requests from senders via contact information obtained from verified and official sources.
• Users should only submit account credentials on official websites.
• Users are advised to only download applications and software from official sources.
• Maintain robust and up-to-date endpoint detection tools on every endpoint.
• Consider leveraging behavior-based detection tools rather than signature-based tools. 
• If you suspect an account has been compromised, change the account’s password immediately and add a secondary authentication method. 
• Report other malicious cyber activity to the NJCCIC and the FBI’s IC3.