“Use longer, stronger passwords.”
This is a directive we’ve been accustomed to hearing for decades. Many of us are using strong passwords with a combination of uppercase letters, lowercase letters, numbers and special characters. The speed at which threat actors can brute force our long passwords has ramped up.
In a brute force password attack, attackers use a software program to run through every possible combination of letters, numbers and symbols that make up the password.
So, we must rethink password safety for today.
How Secure is Your Password?
Not long ago, an eight-character password with a mixture of numbers, uppercase and lowercase letters and special characters was considered secure. Today, it’s crackable in eight hours. Add just two characters to that password, and the time it takes to crack increases to five years.
The following chart shows how long software can take to crack specific character combinations. For the enterprise, it’s sobering.
Compounding the issue, employees have many passwords. Not all of them are going to be strong. According to a 2019 Lastpass survey, employees at a typical U.S. mid-sized company deal with approximately 75 passwords for work. The same study reports employees re-use a password 13 times.
Brute force hacking is nothing new, but as the threat landscape intensifies and the attack surface widens for the enterprise, it’s a good time to revisit some of the facts and prevention strategies to improve password safety.
How Brute Force Works
With a brute force attack, also called an exhaustive search, a cryptographic hack guesses possible combinations of the targeted password. Because longer and more complicated passwords require additional combinations, it takes extra time to crack them.
Depending how the victim counters brute force, breaking into them can range from simple to almost impossible. Weak passwords, lack of password policy and poor security awareness only feed into an invader’s dream.
Software tools to crack passwords have been around for decades. Old standbys like John The Ripper or L0phtcrack are readily available, and even a tool like Dave Grohl (the software, not the exceptionally talented musician) can do the trick.
Types of Brute Force Attacks
There are several types of brute force attacks, the most well-known being the dictionary attack. A dictionary attack uses a list of common words, either from familiar language or typical user passwords, and tries those words as potential passwords.
Another type of attack is the reverse brute force attack, in which threat actors will try using a common group of passwords or individual passwords against a list of possible usernames.
Credential stuffing uses a username and password combination that is already known (usually stolen or previously obtained) by the attacker. The threat of credential stuffing is skyrocketing and should not be taken lightly; enterprises of all types are susceptible here. Using programs that scour the dark web for email addresses, usernames and passwords, credential stuffing is an easy method for threat actors to obtain access to your systems. This attack can only be effective when people use the same user ID and password for different logins.
When defending against brute force attacks, you may be wondering what role, if any, encryption plays. It’s important to note that passwords are not exactly encrypted but are hashed, which means that the cryptographic process can go in one direction. A hash is not reversible and is often used with additional random input.
Password Safety Tips
Passwords aren’t going away anytime soon (although some experts believe they are outdated), so strong passwords are perhaps the most critical strategy in preventing brute force attacks.
Remember, eight characters doesn’t cut it anymore. You’ll need to choose a longer phrase — not a word — that’s difficult to guess (or hack). Your password could even be more of a pass sentence that still contains a mix of letters, numbers and special characters. Taking a few unrelated words and stringing them together with a few characters thrown in might be helpful.
World-renowned hacker Kevin Mitnick suggested that one of the best ways to deal with this is to use a password manager and make the master password a 25-character password. With one 25-character password to log in and another for the password manager master password, the user only must remember two passwords (or pass-sentences).
For IT security teams, the most detailed and comprehensive summary of the best authentication strategies can be found in NIST’s Special Publication 800-63B.
Best Practices for Password Safety
Aside from mandating strong passwords, here are several effective tactics your enterprise should consider to reduce the risk of brute force attacks.
Use multifactor authentication (MFA). With MFA, the password is just the first phase of a two-step process. To log in, users will need either a code sent via text message or email, a physical token or a biometric scan of their fingerprint or face. In almost all cases, threat actors would need physical access to bypass MFA.
Limit the number of login attempts. By only allowing a few tries to enter a correct password, most attackers will give up and look for weaker targets.
Lock accounts after unsuccessful logins. This tactic works in the same way as the one above. You can also limit the rate of repeated logins, denying another attempt until a short amount of time has passed.
Deploy blacklists to block known bad actors – For this to be effective, make sure the list is constantly up to date.
In the end, the best strategy may have nothing to do with software or strong passwords. Like anything in cybersecurity, a company’s culture will set the tone. It may materialize in the form of security awareness training, but no matter how it’s ingrained, password safety and management should be a critical function of an organization’s overall security program. Users must be educated and made aware of the risks.
Especially while many people are working at home, which is probably the case for the foreseeable future, a robust cybersecurity culture in your enterprise is essential.