Did you know that 74% of people use the same password across all of their accounts and log ins? Many of those people think that their password cannot be hacked…
The truth is they are more likely to be hacked!
In this blog we will be explaining how hackers hack passwords and why it is important to have separate and strong passwords across all of your accounts and some tips on how to do so!
Passwords can only do so much. Passwords have a limited ability to protect your data and systems. Even when applied correctly, passwords are limited in helping prevent unauthorised access. If an attacker discovers or guesses the password, they are able to impersonate a user.
Firstly, what is the most important password for almost everyone in the world? Simple. Your email account that has all other accounts (such as online banking, online shopping sites, social media platforms etc) tied to it. If a hacker has this main password, they can reset ALL passwords for ALL accounts linked very quickly without you even knowing and cause major damage.
How do hackers hack passwords?
Hacking is not about typing in a few random magic words with one hand on one keyboard and the other hand on another keyboard. Hacking is difficult and usually takes careful planning and a fair amount of time. Stopping malicious hackers can be even more challenging.
Attackers use a variety of techniques to unveil passwords, exploiting a range of social and technical vulnerabilities. These include:-
- Tricking someone into revealing their password via social engineering (including phishing and arm-twisting)
- Using passwords that have been leaked from data breaches to attack other systems where users have used the same password
- Password spraying (using a small number of commonly-used passwords in an attempt to access a large number of accounts)
- Brute-force attacks (the automated guessing of large numbers of passwords until the correct one is found)
- Theft of a password hash file, where the hash can be broken to recover the original passwords
- ‘Shoulder surfing’ (observing someone typing their password)
- Finding passwords which has been stored insecurely, such as sticky notes kept close to a device, or documents stored on devices
- Manual password guessing (perhaps using personal information such as name, date of birth, or pet names)
- Intercepting a password as it is transmitted over a network
- Installing a keylogger to intercept passwords when they are entered in to a device
So how can we reduce the likelihood of this happening to our businesses or ourselves personally?
One of the most effective ways of adding additional protection to a password protected account is to use MFA (Multi-factor authentication). Accounts that have been set up to use MFA require a second factor, which is something you (and only you) can access. This could be a code that is sent to you by text message, or that is created by an app, so even if an attacker discovers a password, they won’t be able to access the associated account without also compromising another factor.
Introducing Cisco’s DUO – making 2FA (two-factor authentication) simple, easy and effective!
DUO supported applications? Everything. Seriously!
Fits seamlessly in to your network taking a minimum amount of time for admins to set up and endpoints to use.
DUO is a non evasive app which means no one will have access to your phone!
What’s even better – we offer FREE trials of DUO! Click here to set your trial up!
Some other tips are the following:-
- Use account lockout or throttling to defend against brute force attacks
- If using lockout, allow users between 5 and 10 login attempts before locking out accounts
- Consider using security monitoring to defend against brute force attacks
- Password blacklisting prevents common, guessable passwords being used. Ensure that all corporate web apps requiring authentication use HTTPS
- Protect any access management systems you manage
- Protect access to user databases
- Prioritise privileged and vulnerable accounts such as administrators, cloud accounts and remote users
- Change all default passwords
- The endpoints are likely to choose new passwords that are only minor variations of the old
- Stolen passwords are generally exploited immediately
- Resetting the password gives you no information about whether a compromise has occurred
- An attacker with access to the account will probably also receive the request to reset the password
- If compromised via insecure storage, the attacker will be able to find the new password in the same place
Instead of forcing expiry, you should counter the illicit use of compromised passwords by:
- Ensuring an effective movers/leavers process is in place
- Automatically locking out inactive accounts
- Monitoring logins for suspicious behaviour (such as unusual login times, logins using new devices)
- Encouraging users to report when something is suspicious
You can also mitigate the risk of compromised accounts by using MFA, which will make a compromised password less useful to an attacker. Some MFA methods (such as SMS or email notifications) can even warn the user that they have been compromised, as they will receive a code when they did not request it. If you are using this form of MFA, you should encourage users to report this behaviour through your training.