NEWS FROM THE EDGE

Tech Tips and Advice from the Experts at Dynamic Edge

These Password Best Practices Can Protect You from the Five Most Common Password Attacks

It’s the Passwords, Stupid

During Bill Clinton’s 1992 presidential campaign, attempting to keep messages laser-focused on the recession, strategist James Carville famously quipped, “It’s the economy, stupid.” The focus worked and Clinton unseated George H.W. Bush to become the 42nd President of the United States. While much current cybersecurity talk discusses paradigm shifts such as Zero Trust and other important topics, organizations ignore the simplest protections at their peril. Password vulnerabilities still represent the most common attack vector for hackers. This article describes the scary situation regarding password vulnerabilities, defines the five most common password attack methods, and identifies best practices for protecting both individuals and businesses from these threats.

It’s Scary Out There

Despite the seemingly endless discussion related to weak passwords, most people – both professionally and personally – exhibit dangerous and risky behavior when choosing passwords.  NordPass, a password manager software company, recently released its annual list of the Top 200 Most Common Passwords, along with the time hackers require to hack them: (1)

  1. password (<1 second)
  2. 123456 (<1 second)
  3. 123456789 (<1 second)
  4. guest (10 seconds)
  5. qwerty (<1 second)
  6. 12345678 (<1 second)
  7. 111111 (<1 second)
  8. 12345 (<1 second)
  9. col123456 (11 seconds)
  10. 123123 (<1 second)

Obviously, people select passwords based on pure convenience and a person’s position has no bearing on this behavior.  In fact, according to NordPass, CEOs and other C-level executives utilize passwords just as ineffectively as anyone. (2) Unfortunately, an executive’s often higher level of network access makes their behavior even more dangerous.

Beyond the most common weak passwords, hackers recognize the simple social engineering required to break a password.  For example, 70% of employees reuse passwords at work. (3) Once hackers identify a password successfully, they can use the combination of username and password across multiple platforms to gain additional access. In addition, current events dramatically affect the choice of passwords. For example, in 2022, “batman” was used 2,562,776 times, “euphoria” was used 53,993 times, “Encanto” was used 10,808 times. (4) A simple review of box office receipts provides the keys to the kingdom for the bad guys.

Finally, according to Bitwarden, another password manager software company, 31% of survey respondents in the U.S. experienced a data breach within the last 18 months. (4) However, while 90% of global respondents say they are “somewhat” or “very” familiar with password best practices, very few apply those practices.  Business owners must seize this opportunity to facilitate smarter behavior and improve security. To do so, they must understand the most frequent kinds of attacks.

The 5 Most Common Password Attacks

Phishing

Though well acknowledged as the most widespread cyberattack strategy, phishing remains incredibly effective.  A phishing attempt tricks a user into sharing confidential information, including passwords, via email by masquerading as a legitimate request from a known person or organization.  More than 3 billion phishing emails are sent each day. That means that 1% of all Internet traffic aims to trick you or an employee into clicking on the wrong link and inadvertently provide a cyber terrorist with a door to your internal network. (5)

Brute Force Attack

A brute force attack describes when hackers make high-volume attempts to enter a network using large lists of common or compromised passwords.  Metaphorically, rather than opening a locked door by trying one key at a time, hackers employ a battering ram to “guess” billions of passwords each second.

Dictionary Attack

A dictionary attack is a form of brute-force attack that uses large databases of common passwords as its source, just as a writer uses a dictionary.  The attack attempts every word in the dictionary, including derivatives that substitute symbols for common spellings, such as P@$$word.

Credential Stuffing

Hackers closely monitor the news for stories of breached accounts and passwords or purchase such lists on the Dark Web.  Credential stuffing describes when hackers utilize this information to login as other people and gain control of their personal data.  On many of the world’s largest websites, credential stuffers represent more than 90% of all login traffic. (6)

Keyloggers

Keyloggers describe malicious software, typically installed inadvertently by a user, which tracks every keystroke and reports it back to a hacker.  After just a few minutes, the hacker may have credentials to sensitive data and resources.

Simple, Effective Password Best Practices

Considering the risks associated with poor password management, numerous companies are now developing “passwordless” technology to allow users to remove passwords and confirm their identity via authentication apps.  However, until passwordless technologies take hold, numerous simple and effective options remain for organizations to implement.

The National Institute of Standards and Technology (NIST) resides within the Department of Commerce.  NIST’s cybersecurity standards are widely recognized as best practices to reduce risk and protect sensitive data.  NIST Special Publication 800-53 (rev. 5) specifically addresses passwords and informs the recommendations below: (7)

Require Longer Passwords

For years, security professionals have recommended “strong” passwords that require a variety of uppercase/lowercase letters, numbers, and symbols.  However, since these requirements make the passwords harder to remember and type, users repeat passwords to ease the burden, thereby reducing their usefulness. According to NIST, password length offers greater protection.  Create a policy that requires users to choose longer passwords or even phrases, including spaces.

Enable Multi-Factor Authentication (MFA)

Multi-factor authentication (MFA) allows user access to an application or website only after the user presents more than two pieces of evidence (password, one-time code, etc.).  According to Google, MFA prevents over 95% of bulk phishing attempts and over 75% of targeted attacks.  According to Microsoft, MFA can prevent 99.9% of all automated cyberattacks.

Lockout Accounts After Multiple Attempts

To protect against the threat of a brute force attack, configure a network-level password policy that locks out an account after several failed attempts (i.e., 5).  At the same time, create a notification for when such an event occurs and examine the origin of the multiple failed attempts.  It could be a sign of danger already inside the network.

Provide End User Security Training

With phishing the most popular and successful hacker attack strategy, provide training to educate users on how to avoid the scams.  Numerous companies offer software that simulates a phishing attack and then tracks the “success” of the attack, including who opened an email, who clicked on a link within the email, and who submitted info when requested.  Summary reports highlight which users require additional or more frequent training.

Offer a Password Manager

To encourage the use of longer and unique passwords across platforms – without the need to remember them – offer a password manager to your team.  A password manager generates and stores encrypted passwords online.  Through a simple app, users no longer must remember all their passwords, but simply validate their identity from one place.

Extra Credit: Check haveibeenpwned.com

Encourage your team to search their email address at haveibeenpwned.com.  Troy Hunt, a Microsoft executive, created the site to “aggregate data breaches” and help people identify if they’ve been “impacted by malicious activity on the web.”  Simply visit the site, run the free search, and assess the quick results.

Dynamic Edge Can Help

Since 1999, Dynamic Edge has helped hundreds of small and mid-sized businesses maximize the return on their technology investment. Contact us today for a free network assessment, so that we may help you implement cost-effective security solutions, including password management, to keep your organization and its clients safe and productive.

5 1 vote
Article Rating
Subscribe
Notify of
guest
0 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments