Passwords. You hate them when you forget them, you hate them when your Caps Lock key decides to spontaneously get involved, but today we’ll touch on a few ways that passwords can come undone, and some of the fundamentals around why we ask you to have complex, lengthy but at the same time not easily forgettable passwords, and striking the balance between the three.
Passwords are one of the most important links in the IT Security chain and often, the one that is attacked, whilst there is a lot more to them that we’ll go through, we want to discuss a few of the ways your password can be compromised, and we’re going to touch on the four most common ways: Dictionary Attacks, Brute Force Attacks, Phishing & Social Engineering.
Once an attacker has a method of entry to attack: Whether that’s RDP (Remote Desktop Protocol, covered in this blog), Office 365 Login Page, basically anything accessible from the internet, they can use any of the methods below to gain access to your account combining passwords with known account names and naming conventions.
These attacks are called dictionary attacks as they use a list of commonly used passwords, or previously known compromised passwords to attack an account. We’re talking things like ‘password1’, ‘qwerty’ or, and yep, we’ve seen it before, the password ‘blank’. If you have a simple password that uses one of these phrases, it won’t take long for an attacker to crack it. This is generally why we recommend complexity, changing an ‘e’ for a ‘3’, adding a symbol in there. That kind of thing. Whilst this doesn’t always protect against dictionary attacks (as they may include previously compromised complex passwords) it’s an easy way to mitigate that risk. It bears mentioning that there is also a subcategory of this attack called ‘Spidering‘. This is when it’s a targeted dictionary attack on a known entity, for example, if the companies name was “Acme”, they may add ‘Acme’, ‘Acme123’ and so on and so forth to the ‘dictionary’. This is also why we recommend not having your name in your password, or the name of your company. As that will most definitely open you up to a dictionary attack.
Brute Force Attacks
Contrary to the naming of this, don’t visualise a burly individual smashing down your security door. Think of a 10 digit security code panel, remember thinking “with enough time I could try every combination and eventually get in”? That’s the fundamental idea behind Brute Force Attacks. They may combine these with dictionary attacks and then start trying every possible combination of characters to find the password. Eventually, they’ll get in. This is why we recommend length. For every character you add onto your password, it exponentially increases the time it takes to Brute Force it. Brute Force attacks are also generally the reason for account ‘lock out’ policies which prevent too many attempts within certain periods. Drastically slowing down the process.
We dedicated a whole blog to this one, have a look.
Now you won’t see this one as often as the others but it does warrant mentioning. Social engineering is the method of simply asking somebody for their password and them giving it to you. Think of the phone scams where somebody will claim to be from a bank and ask for security information or for your password. That’s social engineering. The main mitigation for this is purely education. Don’t give out your password over the phone. Don’t give it to somebody unless you know exactly who they are, but more so, just don’t give out your password full stop.
So we’ve said complexity, length and education. Balancing these three is imperative to having a secure network and infrastructure. We want you to have a password that not only stands up to the above attacks, but isn’t so complex you have to write it on a post-it and put it on your monitor, or as I like to call it “The IT Heart Attack Inducer”. We don’t do it for kicks (that’s what setting a screenshot of the desktop as the wallpaper and turning off the icons is for). We do it because it’s important to ensure your password meets the criteria to protect not just yourself from these attacks, but your business as well. We also recommend mitigating risk further by using Multi-Factor Authentication where possible as well.
As a wise vaguely Scottish Ogre once said. “Ogres are like Onions, Onions have layers” and the same applies here. IT Security are like Ogres… wait.. IT Security is about layers. Keep in mind that the password is just one of these, but having a good one can often times be the difference between having a secure network, and having what is effectively an open door.