Nvidia leak shows weak passwords in use [new data]
Cyber-criminal group LAPSUS$ claimed GPU manufacturer Nvidia as one of its latest breach victims at the end of February. The news of the breach made headlines in the past few weeks, including details that employee passwords were leaked. The Specops team has obtained some 30k of the leaked passwords and included them in the latest addition of over 6 million compromised passwords to the Specops Breached Password Protection service.
The Specops research team was able to analyze the Nvidia dataset for password construction patterns. The findings, shared below, highlight how common weak passwords are in organizations. On March 1, 2022, Nvidia shared on their security incident page that all employees have been required to change their passwords so none of the examples in this post are passwords in use today. These research findings follow the publication of the 2022 Specops Weak Password report last week.
“While we don’t know how the hackers gained access in this incident, it is unfortunate to see that weak passwords were in use,” said Darren James, Product Specialist at Specops Software. “But they are not alone – weak passwords are unfortunately common across many organizations because of a lack of basic protections like blocking company names.”
Top 10 Base Words in Leaked Nvidia Passwords
Finding “nvidia” in this list indicates the organization wasn’t making use of a custom dictionary in its password protections. “September” in the 10th spot shows that Nvidia employees choose passwords in similar ways to the rest of the world (Which seasons and months are most common in compromised passwords).
Why Weak Passwords Happen
It’s not unexpected that employees would choose weak passwords. As shared in the 2022 Weak Password Report, nearly 48% of employees have to remember more than 11 passwords just in their work lives. With that mental burden, it is understandable that employees would rely on simpler passwords, insecure construction patterns or reusing passwords.
Of course, weak password construction isn’t the only password vulnerability organizations need to worry about. The strongest password in the world becomes weak if it’s known to a hacker.
“It is of course important to protect against the use of guessable passwords,” continued James. “But the easiest to guess password is one that an employee has reused on a previously breached site and an attacker has their hands on. Blocking compromised passwords is an essential part of any cybersecurity plan.”
Specops Breached Password Protection can help defend against password attacks by blocking the use of over 2 billion known compromised passwords in Active Directory.
You can find out how many of your Active Directory users are using compromised passwords like these by running a free read-only scan with Specops Password Auditor. Read more and download it here.
With Specops Password Policy and Breached Password Protection, companies can block over 2 billion compromised passwords in Active Directory. These compromised passwords include ones used in real attacks today or are on known breached password lists, making it easy to comply with industry regulations such as NIST or NCSC. Our research team’s attack monitoring data collection systems update the service daily and ensure networks are protected from real world password attacks happening right now. The Breached Password Protection service blocks these banned passwords in Active Directory with customizable end-user messaging that helps reduce calls to the service desk.
About the 2022 Weak Password Report
In its first annual Weak Password Report, Specops analyzed 800 million breached passwords, a subset of the more than 2 billion breached passwords in Specops Breached Password Protection, in order to identify current password security trends. Researchers also evaluated both the human and tech side of why passwords are the weakest link in an organization’s network, examining trends such as password themes and reuse, and how hackers have adjusted their tactics to keep up with evolving password requirements.
Download the report here.
About Specops Software
Specops Software, an Outpost24 group company, is the leading provider of password management and authentication solutions. Specops protects your business data by blocking weak passwords and securing user authentication. With a complete portfolio of solutions natively integrated with Active Directory, Specops ensures sensitive data is stored on-premises and in your control. Every day thousands of organizations use Specops Software to protect business data.
The Outpost24 group is pioneering cyber risk management with continuous vulnerability management, application security testing, threat intelligence and access management – in a single solution. Over 2,500 customers in more than 40 countries trust Outpost24’s unified solution to identify vulnerabilities, monitor external threats and reduce the attack surface with speed and confidence. Delivered through our cloud platform with powerful automation supported by our Cyber security experts, Outpost24 enables organizations to improve business outcomes by focusing on the cyber risk that matters. Visit outpost24.com for more information.
Media contact details can be found on this page.
(Last updated on March 15, 2022)