Data breaches in 2017 reached an all-time high. “On December 20th, the Identity Theft Resource Center (ITRC) reported that there were 1,293 total data breaches, compromising more than 174 million records. That’s 45% more breaches than 2016.”1 Your company may think they’re doing all they can to prevent a breach, but hackers are taking advantage of something you might not be thinking of: a simple password.
Password breaches are one of the most common ways to break into a company and steal its information. So, the next time you roll your eyes at that password creation box that requires a password with crazy letters and symbols, you should trust that it’s for your own protection.
There are three types of password attacks used by hackers to break your passwords, but here are some steps you can take to improve your security.
A Brute Force Attack is when a hacker uses a program such as Metasploit, the worlds most used penetration testing framework, to attempt to crack a password by cycling through various combinations. There are several penetration testing tools such as Netsparker, Acunetix, Wireshark, and w3af. This type of attack is the most common because it focuses on the complexity of the password, so the shorter the password the easier it is to breach.
Resolution: One of the most effective and simple ways to prevent a Brute Force Attack is to implement an account lockout policy. When a user enters an incorrect password more than a specified number of times, the account will be locked- requiring an administrator to take action. Therefore, the hacker will not be able to cycle through enough combinations to reach the correct password with such a system in place.
In this type of attack, a hacker uses a special program to record all of the user’s keystrokes. It is a more complex tactic because it requires malware to be downloaded and is the reason why RSA secure ID tokens have become more common among businesses. RSA Secure ID tokens are hardware tokens used in conjunction with a rotating pin, and used to add a second factor of authentication when accessing confidential information.
Resolution: It is recommended to install anti-spyware and antivirus software, such TotalAV, ScanGuard, and PCProtect because they act as the first line of defense and can be the most effective with the least amount of effort from your business’ IT Administration.
This is when a hacker uses a script to cycle through simple words. Dictionary attacks are usually successful because most users tend to pick short, common passwords like Password123. Dictionary attacks differ from brute force because there are no special characters involved in the passwords. Brute force attacks are typically used against the encryption algorithm itself, whereas the dictionary attack focuses on the keys, or real words.
Resolution: The easiest way is to strengthen the password parameters. Most sites require that your password is 8-12 characters and must include one upper case letter, one lower case letter, a number, and a special character, such as @#$%!. Even if the site does not require this, we recommend following these guidelines, anyway.
Now that you’re more aware of the different types of password attacks, you can understand the importance of how having a unique password can prevent a major breach in your company’s information.
We understand the difficulty of tracking all the usernames and passwords that you create for all the sites you use on a regular basis, so we recommend using a password protection program, such as LastPass, which safely stores your credentials in its “vault.” But don’t forget, give that program a strong password, too!
By, Matthew McCaffrey