Table of Contents
- How are passwords cracked?
- How can individuals prevent their passwords from being cracked?
- What makes a good password?
- How can businesses support staff users?
- Password Security Threats
This follow-up piece focuses on how individuals and corporations can improve their cyber security by using passwords. Passwords are a simple and efficient approach to safeguard data and IT systems against unauthorized access when used appropriately. Many people, though, continue to use passwords in ways that put them in danger, and IT regulations don’t always encourage improved user behavior.
This explains some straightforward suggestions for people and businesses looking to improve their password management and avoid being cracked.
How are passwords cracked?
Criminals can crack passwords using a variety of techniques, including:
- Intercepting them as they travel over the internet.
- Automated guessing of millions of passwords is known as brute force.
- Taking them physically, such as when they are written down near a device.
- Looking for password information in the IT infrastructure.
- Guessing by hand using readily available personal information (e.g. name, date of birth).
- Shoulder surfing is the practice of watching people type their passwords in public areas.
- People are duped into handing out passwords through social engineering.
- Key logger virus records passwords as they are typed in.
These strategies aid in highlighting some basic security precautions that users can adopt.
How can individuals prevent their passwords from being cracked?
Use a strong, non-predictable password, which is a key suggestion. Below, we’ll go over what makes a decent password (and what doesn’t).
It’s also crucial not to reuse passwords across many accounts. Different websites have different levels of security; if you always use the same password, a thief could crack it on a low-security site and use it to access sensitive information on a higher-security site.
Users, on average, use the same password on four distinct websites. Every site and system you access should ideally have a different password. In practice, though, remembering that many passwords can be challenging.
For the most sensitive sites you access, such as email, online banking, and any other sites that handle confidential or financial information, you should use a distinct password at the very least. Alternatively, you might create a password system, such as utilizing a complicated core password and then adding letters or numbers that are related to the website name.
Individuals should also consider the following suggestions:
- When possible, use two-factor authentication.
- Before you can use a service, you must authenticate your identity using two distinct means, such as a password and a unique code texted to your cell phone.
- This is already used by many online banking services, and HMRC is implementing it across all of its online services.
- Be aware of public Wi-Fi and avoid using it to access secure websites.
- Never use a link in an email to log into a secure site: this is a frequent phishing trick.
- Remember password features should only be used on home computers where you trust other users.
- Look for HTTPS:// or a little password symbol at the start of a website’s URL to see if it’s using a secure connection.
- Don’t type passwords in public places where others can see you.
- Passwords should never be sent by email.
- Passwords should never be shared or written down next to your computer or in an easily accessible location.
- After a hiatus, don’t use the same password again.
What makes a good password?
The most important thing is to avoid using easily guessable passwords. Passwords should be simple to remember but difficult to guess for others. According to the National Cyber Security Centre (NCSC), a reasonable rule of thumb is to make sure that your password cannot be guessed in 20 attempts by someone who knows you well.
The following are examples of readily broken passwords:
- Your real name or your user name.
- Names of places
- Birthdays and names of family members or pets
- Words from the dictionary
- Date and place of birth are examples of personal information.
- Favorite sports teams or other topics related to your passions.
- Keyboard or numerical sequences (e.g. qwerty, 12345).
123456, password, 12345678, qwerty, 12345, and football are among the most popular passwords.
Passwords that are strong will:
- It must have at least 8 characters.
- Make use of a mix of capital and lowercase letters, symbols, and numerals.
- However, substituting letters for numbers (for example, 3 for E or 1 for I) is a common practice that should be avoided.
- Long and complicated passwords are typically thought to be the most secure, but this isn’t always the case.
- Because such passwords are difficult to remember, users may resort to coping techniques (such as writing them down or using the same password several times), making them more exposed to cybercriminals.
The NCSC, in collaboration with Cyber Aware, recommends using three random words to construct a secure password, such as coffee train fish, or walltinshirt. The words you choose should be memorable, but not easy to guess (for example, one-two-three) or too personal (for example, pet names, children’s names).
How can businesses support staff users?
- Businesses must guarantee that their employees use passwords properly to protect IT systems and data.
- However, you must ensure that IT policies do not lead to password saturation among users.
- Passwords should not be enforced when they are not needed because the average UK person has 22 online passwords to remember.
- Businesses can also assist their employees by utilizing technology to limit the number of passwords they must remember: password managers can be used for less critical accounts (tools that create and store passwords for you, accessed via a master password).
- Allowing users to record and retain their passwords securely — for example, written passwords could be placed in a locked cabinet or safe.
- Users are only asked to reset their passwords if there is evidence or suspicion that they have been compromised.
- Allowing users to readily reset passwords, even when they are not in the office.
- The NCSC no longer advises requiring users to change their passwords frequently or to maintain a variety of complicated passwords.
- The burden of compelling users to change passwords regularly outweighs any security benefits; as a result, employees are more likely to choose weaker passwords, make small changes to previous passwords, or request password resets more frequently.
- Instead, the NCSC suggests that employees focus on: Ensure that passwords are difficult to guess.
- Keeping passwords safe.
- Unknown logins or suspicious behavior should be reported.
- When a hack is obvious or suspected, passwords are changed.
- Other security precautions that firms might implement include steering users away from predictable passwords and prohibiting the use of the most common.
- Users should avoid using the same password at home and work.
- Before distributing devices to employees, change any default vendor-supplied passwords.
- Keeping track of failed login attempts.
- Countering brute force assaults by implementing account lockout, throttling, or monitoring.
- Ensure that IT systems do not require employees to share accounts or passwords: each user should have access to the systems they require to complete their tasks (and nothing beyond this).
Password Security Threats
Passwords that have been compromised allow thieves access to your most personal accounts. Of course, users will want to create a password that is difficult for hackers to guess.
To deceive human hackers, the ordinary user will construct passwords. This was formerly a clever approach to combat data theft. A criminal would utilize any information they could gather about you to guess your password, as well as typical password patterns. You used to be able to “Tr1Ck” your way into security by simply changing the characters in your passwords. However, hackers were taken notice. Nowadays, cybercriminals utilize the advanced technology to obtain your credentials.
This is significant because many individuals try to make passwords difficult to guess by using inefficient methods. As it guesses your passwords, the software is built to accommodate devious user behavior.
Hackers use the following tactics to gain access to your accounts:
Dictionary-based hacks mix dictionary words in common ways using an automated method Because users make passwords simple to remember, many hackers attempt to imitate common patterns.
To target users directly, social media and publicly shared personal information are employed. Users frequently use their names, birthdays, and even the names of their favorite sports teams as passwords. Much of this information can be discovered simply by spending some time on social media.
Brute force assaults employ an automated computer to try every possible character combination until it discovers your password. Brute force, unlike dictionary attacks, struggles with long passwords. Short passwords, on the other hand, can sometimes be discovered within hours.
Phishing is when a scammer manipulates you into handing over money or personal information. They frequently pose as a reputable organization or someone you may know. Scammers may contact you via phone, text, email, or social media. They can also create fake apps, websites, and social media accounts.
Many passwords and other sensitive data have already been exposed as a result of previous data breaches. Companies are being hacked increasingly regularly, and hackers are taking all of the data and selling it online. This is especially dangerous if you’ve reused old passwords, as outdated accounts are more likely to be hacked.