For businesses, one weak password can be the cause of a major cybersecurity incident. Here at The Unite Group, we help businesses take measures to ensure they are doing everything possible to reduce the chance of falling victim to an account compromise attack. Whilst having a strong password is a good start. There are other technologies and processes that businesses can implement to reduce this risk. In this article, we will discuss some common methods of password attack. Including how to create a secure password and other ways that businesses can stay safe in a world of cybercrime.
Common methods of password attack
Brute Force
A brute force attack is where a cybercriminal attempts to crack a password by submitting many passwords or passphrases with the hope that one of them will be correct. This is not a manual process. Instead hackers will use a tool that can submit millions of login attempts every second, each with a different credentials.
Dictionary Attacks
Dictionary attacks are a form of brute force attack whereby the cybercriminal runs through a list of common words in an attempt to find the correct password. More sophisticated dictionary attacks will also use words and phrases relevant to the target. This can include their name, pets’ names and birthdays.
Past Data Breaches
Many individuals will reuse passwords across multiple websites and systems. Therefore, if one of these websites has a data breach then all the users’ passwords are leaked. Cybercriminals can use these on other websites and systems.
Phishing
Phishing attacks are a form of social engineering where a cybercriminal imitates a trusted entity and tricks an individual into opening a fraudulent email, SMS, or instant message. This message is designed to deceive the victim. Often encouraging sharing sensitive information or clicking a link that will run malicious code. There are many forms of phishing attacks that range from untailored bulk emails to highly sophisticated spear-phishing attacks. Common credential phishing attacks include malicious emails that ask employees to reset or update their passwords.
How to create a secure password
An understanding of the common methods of credential attacks should guide how employees should create a secure password. In order to avoid brute force and dictionary attacks, passwords should be long and complex. This can include using numbers, symbols and uppercase letters, without using dictionary words or names.
For example, the password ‘janedoe’ would take 2.4 seconds for a hacker to crack. If numbers, symbols and uppercase letters are added to make ‘JaneDoe295!’, this would take 31 hours to crack. However, if a credential of the same length but with random letters and characters, such as ‘f^Hl86$p-x$’ is used, it would take 9 billion years, making it immune to brute force attacks.
In order to avoid a previous data breach being the cause of an account compromise attack, employees should not reuse passwords across multiple sites or services. However, the average organisation uses 80 SaaS applications, and it is unrealistic to expect an employee to remember 80 long and complex passwords. To solve this issue, and avoid credential attacks through phishing, we recommend businesses should also implement other technologies to increase security.
Other ways businesses can stay safe
To avoid phishing attacks, businesses should implement a comprehensive email security solution. Many modern email security solutions use AI to block such phishing attacks before they even land in an employee’s inbox. Some solutions also include web filtering. This will block any malicious URLs, further decreasing the chance of falling victim to an attack.
It should also be noted that passwords should not be the only line of defence against account compromise attacks. Here at The Unte Group we also recommended implementing multifactor authentication (MFA). MFA is an authentication process where a user must provide two or more forms of identification to log in to their account. Typically, the forms of identification are two of the following: something the user knows (such as a password), something they are (such as biometrics) or something they have (such as a hardware key or trusted phone). Deploying multifactor authentication is simple and it prevents 99.9% of all account compromise attacks.
As it is not possible to remember 80+ long, complex credentials, one solution is to make use of a password manager. A password manager can store passwords for an employee, which they can access with a single password. When using, it is essential that the master password is strong. Enabling multifactor authentication can improve security.
All businesses should be taking password security seriously as the consequences of poor password hygiene can be severe. To find out more about password security, or which solution is right for your business, contact us today.