Passwords are everywhere! We need them to access workstations, mobile devices, social media and ecommerce. The trouble with passwords is that they are weak when it comes to securing all of those things.
You may have heard of brute force or password spraying as forms of attacks a hacker might use to gain access to networks. Brute forcing is an attack where hackers target the higher-level usernames and attempt to gain access by firing off millions of passwords at a single account. Eventually, one of the “guesses” will eventually get them in. Password spraying is slightly different as the hacker would try a few commonly used passwords (like password123) against a large number of accounts. They “spray” thousands, potentially millions, of usernames with a familiar, easy-to-guess password with the assumption that there is likely at least one person with that password within a large group of people.
Another problem with passwords is that they tend to be reused everywhere by users. In some ways, who can blame them. Users are often asked to create a new password for every account they have, using a mix of upper- and lower-case characters, numbers and special characters. Business Wire quotes a study that shows 1 in 4 employees put their business at risk by using their work email or password to log into consumer sites. Many of these consumer sites are routinely hacked, with the credentials sold on the dark web to the highest bidder.
So, what do you do? World-renowned hacker Kevin Mitnick suggested that one of the best ways to deal with this is to use a password manager and make the master password a 25-character password. In addition, businesses should take the following steps below to make sure they are following these best practices to secure access to their organizations.
- Use multifactor authentication (MFA). With MFA, the password is just the first phase of a two-step process. To log in with MFA, you will also need a code sent via text message or email, a physical token, or a biometric scan of your fingerprint or face. This works in most cases, as it makes breaking in more difficult for hackers if they don’t have you thumbprint or token.
- Limit the number of login attempts. Brute forcing works by constantly trying different password combinations over and over. By only allowing a few tries to enter a correct password, most attackers will give up and look for weaker targets.
- Lock accounts after unsuccessful logins. Similar to the tactic described above, this works by locking the account after a certain number of attempts. You can also limit the rate of repeated logins, denying another attempt until a short amount of time has passed.
- Comply with NIST Standards
The NIST guidelines for proactive password policies encourage screening for commonly used and compromised passwords to prevent people from selecting these easy-to-guess passwords. Ensure your organization keeps an up-to-date blacklist of passwords to help to weed out any commonplace passwords that hackers are likely to try in a volume attack. Additionally, a previously “strong” passwords could be compromised if bad actors have discovered it in a different data breach.