In previous articles we have described that there is a multi tiered approach to adopting cybersecurity. This is an ongoing process and needs to be constantly reviewed and improved upon. One very important aspect and should take priority, is safeguarding the use of passwords.
For businesses, one weak password can be the cause of a major cybersecurity incident. For this reason, businesses should take measures to ensure they are doing everything possible to reduce the chance of falling victim to an account compromise attack. Whilst having a strong password is a good start, there are other technologies and processes that businesses can implement to reduce this risk. In this article, we will discuss some common methods of password attack, how to create a secure password and other ways that businesses can stay safe in a world of cybercrime.
Common methods of password attack
A brute force attack is where a cybercriminal attempts to crack a password by submitting many passwords or passphrases with the hope that one of them will be correct. This is not a manual process, but rather hackers will use a tool that can submit millions of login attempts every second, each with a different password.
Dictionary attacks are a form of brute force attack whereby the cybercriminal runs through a list of common words in an attempt to find the correct password. More sophisticated dictionary attacks will also use words and phrases relevant to the target, such as their name, pets’ names and birthdays.
Past Data Breaches
Many individuals will reuse passwords across multiple websites and systems. Therefore, if one of these websites has a data breach and the users’ passwords are leaked, cybercriminals can use the passwords on other websites and systems.
Phishing attacks are a form of social engineering where a cybercriminal imitates a trusted entity and tricks an individual into opening a fraudulent email, SMS, or instant message. This message is designed to deceive the victim into sharing sensitive information or clicking a link that will run malicious code. There are many forms of phishing attacks that range from untailored bulk emails to highly sophisticated spear-phishing attacks. Common password phishing attacks include malicious emails that ask employees to reset or update their passwords.
How to create a secure password
An understanding of the common methods of password attack should guide how employees should create a secure password. In order to avoid brute force and dictionary attacks, passwords should be long and complex, including numbers, symbols and uppercase letters, without using dictionary words or names.
For example, the password ‘janedoe’ would take 2.4 seconds for a hacker to crack. If numbers, symbols and uppercase letters are added to make ‘JaneDoe295!’, this would take 31 hours to crack. However, if a password of the same length but with random letters and characters, such as ‘f^Hl86$p-x$’ is used, it would take 9 billion years, making it immune to brute force attacks.
In order to avoid a previous data breach being the cause of an account compromise attack, employees should not reuse passwords across multiple sites or services. However, the average organisation uses 80 SaaS applications, and it is unrealistic to expect an employee to remember 80 long and complex passwords. To solve this issue, and avoid password attacks through phishing, businesses should also implement other technologies to increase security.
Other ways businesses can stay safe
To avoid phishing attacks, businesses should implement a comprehensive email security solution. Many modern email security solutions use AI to block password phishing attacks before they even land in an employee’s inbox. Some solutions also include web filtering that will block any malicious URLs, further decreasing the chance of falling victim to an attack.
It should also be noted that passwords should not be the only line of defence against account compromise attacks. Businesses should also implement multifactor authentication (MFA). MFA is an authentication process where a user must provide two or more forms of identification to log in to their account. Typically, the forms of identification are two of the following: something the user knows (such as a password), something they are (such as biometrics) or something they have (such as a hardware key or trusted phone). Deploying multifactor authentication is simple and it prevents 99.9% of all account compromise attacks.
As it is not possible to remember 80+ long, complex passwords, one solution is to make use of a password manager. A password manager can store passwords for an employee, which they can access with a single password. When using a password manager, it is essential that the master password is strong, and multifactor authentication is enabled to improve security.
All businesses should be taking password security seriously as the consequences of poor password hygiene can be severe. To find out more about password security, or which solution is right for your business, contact us today.