“Use longer, stronger passwords.”

This is a directive we’ve been accustomed to hearing for decades. Many of us are using strong passwords with a combination of uppercase letters, lowercase letters, numbers and special characters. The speed at which threat actors can brute force our long passwords has ramped up. 

In a brute force password attack, attackers use a software program to run through every possible combination of letters, numbers and symbols that make up the password.

So, we must rethink password safety for today. 

How Secure is Your Password?

Not long ago, an eight-character password with a mixture of numbers, uppercase and lowercase letters and special characters was considered secure. Today, it’s crackable in eight hours. Add just two characters to that password, and the time it takes to crack increases to five years. 

The following chart shows how long software can take to crack specific character combinations. For the enterprise, it’s sobering. 

Compounding the issue, employees have many passwords. Not all of them are going to be strong. According to a 2019 Lastpass survey, employees at a typical U.S. mid-sized company deal with approximately 75 passwords for work. The same study reports employees re-use a password 13 times. 

Brute force hacking is nothing new, but as the threat landscape intensifies and the attack surface widens for the enterprise, it’s a good time to revisit some of the facts and prevention strategies to improve password safety. 

How Brute Force Works

With a brute force attack, also called an exhaustive search, a cryptographic hack guesses possible combinations of the targeted password. Because longer and more complicated passwords require additional combinations, it takes extra time to crack them.

Depending how the victim counters brute force, breaking into them can range from simple to almost impossible. Weak passwords, lack of password policy and poor security awareness only feed into an invader’s dream. 

Software tools to crack passwords have been around for decades. Old standbys like John The Ripper or L0phtcrack are readily available, and even a tool like Dave Grohl (the software, not the exceptionally talented musician) can do the trick.

Types of Brute Force Attacks

There are several types of brute force attacks, the most well-known being the dictionary attack. A dictionary attack uses a list of common words, either from familiar language or typical user passwords, and tries those words as potential passwords. 

Another type of attack is the reverse brute force attack, in which threat actors will try using a common group of passwords or individual passwords against a list of possible usernames.

Credential stuffing uses a username and password combination that is already known (usually stolen or previously obtained) by the attacker. The threat of credential stuffing is skyrocketing and should not be taken lightly; enterprises of all types are susceptible here. Using programs that scour the dark web for email addresses, usernames and passwords, credential stuffing is an easy method for threat actors to obtain access to your systems. This attack can only be effective when people use the same user ID and password for different logins.

When defending against brute force attacks, you may be wondering what role, if any, encryption plays.  It’s important to note that passwords are not exactly encrypted but are hashed, which means that the cryptographic process can go in one direction. A hash is not reversible and is often used with additional random input. 

Password Safety Tips  

Passwords aren’t going away anytime soon (although some experts believe they are outdated), so strong passwords are perhaps the most critical strategy in preventing brute force attacks. 

Remember, eight characters doesn’t cut it anymore. You’ll need to choose a longer phrase — not a word — that’s difficult to guess (or hack). Your password could even be more of a pass sentence that still contains a mix of letters, numbers and special characters. Taking a few unrelated words and stringing them together with a few characters thrown in might be helpful. 

World-renowned hacker Kevin Mitnick suggested that one of the best ways to deal with this is to use a password manager and make the master password a 25-character password. With one 25-character password to log in and another for the password manager master password, the user only must remember two passwords (or pass-sentences).

For IT security teams, the most detailed and comprehensive summary of the best authentication strategies can be found in NIST’s Special Publication 800-63B

Best Practices for Password Safety 

Aside from mandating strong passwords, here are several effective tactics your enterprise should consider to reduce the risk of brute force attacks. 

Use multifactor authentication (MFA). With MFA, the password is just the first phase of a two-step process. To log in, users will need either a code sent via text message or email, a physical token or a biometric scan of their fingerprint or face. In almost all cases, threat actors would need physical access to bypass MFA.

Limit the number of login attempts. By only allowing a few tries to enter a correct password, most attackers will give up and look for weaker targets. 

Lock accounts after unsuccessful logins. This tactic works in the same way as the one above. You can also limit the rate of repeated logins, denying another attempt until a short amount of time has passed. 

Deploy blacklists to block known bad actors – For this to be effective, make sure the list is constantly up to date. 

In the end, the best strategy may have nothing to do with software or strong passwords. Like anything in cybersecurity, a company’s culture will set the tone. It may materialize in the form of security awareness training, but no matter how it’s ingrained, password safety and management should be a critical function of an organization’s overall security program. Users must be educated and made aware of the risks. 

Especially while many people are working at home, which is probably the case for the foreseeable future, a robust cybersecurity culture in your enterprise is essential. 

More from Data Protection

Data Privacy: How the Growing Field of Regulations Impacts Businesses

The proposed rules over artificial intelligence (AI) in the European Union (EU) are a harbinger of things to come. Data privacy laws are becoming more complex and growing in number and relevance. So, businesses that seek to become — and stay — compliant must find a solution that can do more than just respond to current challenges. Take a look at upcoming trends when it comes to data privacy regulations and how to follow them. Today's AI Solutions On April…

Defensive Driving: The Need for EV Cybersecurity Roadmaps

As the U.S. looks to bolster electric vehicle (EV) adoption, a new challenge is on the horizon: cybersecurity. Given the interconnected nature of these vehicles and their reliance on local power grids, they’re not just an alternative option for getting from Point A to Point B. They also offer a new path for network compromise that could put drivers, companies and infrastructure at risk. To help address this issue, the Office of the National Cyber Director (ONCD) recently hosted a…

Why Quantum Computing Capabilities Are Creating Security Vulnerabilities Today

Quantum computing capabilities are already impacting your organization. While data encryption and operational disruption have long troubled Chief Information Security Officers (CISOs), the threat posed by emerging quantum computing capabilities is far more profound and immediate. Indeed, quantum computing poses an existential risk to the classical encryption protocols that enable virtually all digital transactions. Over the next several years, widespread data encryption mechanisms, such as public-key cryptography (PKC), could become vulnerable. Any classically encrypted communication could be wiretapped and is…

How the CCPA is Shaping Other State’s Data Privacy

Privacy laws are nothing new when it comes to modern-day business. However, since the global digitization of data and the sharing economy took off, companies have struggled to keep up with an ever-changing legal landscape while still fulfilling their obligations to protect user data. The challenge is that there is no one-size-fits-all solution regarding data privacy's legal requirements. Depending on the location and jurisdiction, data privacy laws can vary significantly in terms of scope and enforcement. But while the laws…