Security News > 2020 > August > What a year of penetration testing data can reveal about the state of cybersecurity
SecOps firm Rapid7 has released its annual look at the state of the penetration testing industry, with findings including a significant spike in the number of vulnerable VPN connections, widespread lack of multifactor authentication, and a high volume of poorly configured internal networks making it easier for attackers to move laterally once inside.
Passwords are supposed to be kept secret, the report states, but "Humans and their woefully unoriginal meat brains" make guessing those passwords far easier than can be considered safe.
Password spraying, in which an attacker uses a few known usernames and a short list of common, relevant, unoriginal passwords, ranks as by far the most common way to successfully gain a working username plus password combination.
Guessable cracked passwords, Rapid7 found, most commonly fell into three categories: A season and year combination, some part of the company's name, and variations of the word "Password."
Rethink password management: It's far too common, Rapid7 said, for a penetration test to return "Lists and lists of poorly chosen, human-generated passwords." Good credential management should be a full-time function of security teams, it recommends, and users should be made to use machine-controlled passwords and multifactor authentication.