5 Tips for Improving Password Security to Prevent Hacks
By: Ernest Sampera on January 26, 2021
There’s a well-known scene in Spaceballs where the king reveals his password to be 1-2-3-4. While we’re all laughing at jokes like this, some of our very standard password practices are not that far off. While we think we’re utilizing security best practices, those have evolved, as have malicious hacking tactics. As attacks escalate and adapt, it’s time to look at what is perhaps our greatest vulnerability, password security.
In short, a variety of methods to hijack your users’ passwords present the easiest way into your system with minimal detection. While strategies exist to circumvent authentication, as we saw with the Solarwinds supply chain attack, insufficient attention and poor controls over password protocols, including focuses on performative tactics result in a vulnerability that can easily be diminished.
What is Password Hacking?
Password hacking isn’t that simple in terms of isolating the methods used to hack a password. There are, in fact, multiple ways that those with malicious intent can gain access to your system by cracking a user password. While some hackers can use fairly simple methods, like guessing based on common password combinations, other methods take a bit more work, but also tend to take advantage of user carelessness (though arguably weak passwords are a user issue as well).
Common Types of Password Hacking
First, password hackers can utilize the “brute force” method which enables them to enter password combinations, letter by letter or number, until they are successful. As with other methods, the easier the password, the easier this becomes, particularly if the hacker has access to employee personal data. Similar to this is what is referred to as a “dictionary attack” which is a similar method though attempts utilize frequently used words rather than letter by letter combinations.
Password spraying is also considered a brute force attack in that it pounds a system with attempts to access accounts. This effort takes commonly used passwords (keep an eye out for these password offenders) and attempts to access as many accounts as possible with those simple and easy passwords.
Phishing attacks are perhaps the most well known password “hacking” method. In a phishing attack, hackers masquerade as a legitimate service or application and simply request the user’s password via an email. These can be quite sophisticated in that emails can closely mimic the emails for service providers in language and logo.
Hackers may also try what is referred to as a rainbow table attack which requires hacking the actual encrypted passwords within a database. The tables provide pre-computed information to enable the hacking.
Credential stuffing is perhaps the most preventable, however, it’s likely the one that puts your organization or business most at risk. What makes this type of hack so dangerous is that many of us use the same passwords for multiple sites or applications and once hackers gain access to a password in use, such as their email account, they can use that information to access additional sites or applications using the same credentials.
The final password hacking tool used is a keylogger attack. This requires that the hacker have logical access to a terminal so they can install a keylogging application that tracks all keystrokes, recording passwords and enabling their use later.
Risks of Poor Password Security
Businesses invest a lot of time and resources into securing not just customer data, but proprietary and/or confidential information like financial reports, forecasts, and strategies. As noted above, password hacking can be the easiest way for bad actors to gain access to your system, jeopardizing your customer’s data, the entire network, and, in some cases, your business.
For some businesses, absorbing the hit of a data breach and the consequences is possible, but for many more, the impacts are long-lasting and significant. Breaches expose not just the data, but open up your customers for cascading issues, especially if credit cards are exposed. There are legal costs, investigations, potential fines, among many other costs associated with a breach. In turn, the financial impact from can, if large enough, veer into the millions as Marriott and Target breaches reveal. Though cases like that are extreme, even referred to as mega-breaches, the average cost for a data breach in 2020 was $3.86 billion.
When considering the cost of the breach itself and the impact on future revenue and profit, the financial cost is more than many companies can bear. However, for many companies, the repercussions also include a loss of intellectual property. Proprietary data, codes, applications, research and development, and business operations are the foundation for many companies. Deloitte estimates that 80% of a company’s value may be placed in its intellectual property. Data breaches expose this information and open it up to competitors and the black market, posing an immediate threat as well as risking a business’s future.
While these are the primary and immediate impacts, the Deloitte report highlights a growing list of costs related to a data breach that range from lost contracts and increased insurance premiums to security investments moving forward.
Who is at Risk for Password Hacking?
While it’d be easy to assume that high value, high traffic businesses with lots of employees, are an obvious target, that’s not always the case. Certainly the more employees a business has, the more likely they are to have password security issues, but small businesses and the healthcare industry are just as likely to be targeted for other reasons.
For smaller businesses, the primary concern is the attention, or lack of, on security. Because leaders may need to focus on many different aspects of the business, rather than having a team of executives or even a security team, it can be just the kind of vulnerability hackers are looking for. In fact, 67% of businesses 1,000 employees or fewer have been victims of attacks with 58% of them experiencing a data breach of some kind.
While smaller businesses may not see themselves as targets, they have the kind of customer data, computer systems and networks, and the potential links or backdoors to bigger companies that hackers are interested in and that have value on a black market.
The healthcare industry may be a target for similar reasons. While it’s not that data security is not a focus, it’s that in many cases IT infrastructure, security, and software is outdated and susceptible to attacks that hackers have had years to understand. Further, healthcare organizations typically have not just the patient data hackers are looking for, but many larger institutions also have highly valuable research data and intellectual property as well, both of which can fetch high sums on a black market.
For healthcare organizations, this should be of significant concern as estimates and research suggest that healthcare breaches are among the most costly, not just in terms of lost data and potential research, but they have the highest costs associated with breaches. More specifically, healthcare breaches cost, on average, $6.45 million, more than any other industry.
5 Tips for Improving Password Security in Your Organization
Password hacking is one of the easiest ways to access your network, but that doesn’t mean there aren’t reasonable steps you can take to ensure that password protocols used within your organization can’t protect your business.
1. Use special characters. Perhaps one of the simplest methods to protect password security is to include special characters, but consider moving beyond the standard ! or ?. In fact, recommendations are to explore characters from all over the keyboard rather than the more commonly used characters.
2. Mix up cases. When most of us create passwords, we tend to use words that are either all capital letters or all lowercase. Consider mixing uppercase letters with lowercase. When considering these first two options, some recommend creating a sentence and translating it into a password. For example, if you use your pet’s name as a password (easy), consider changing it from Rover2020 to a sentence Rover plays fetch at the dog park on 22nd, but only on Sundays, which becomes something like: RPFatDPo22,booS.
3. Avoid the following: common words, common passwords, reused passwords. All of these leave you particularly vulnerable to multiple password hacking strategies and, as best practice, should not be used, not even in your non-work personal accounts.
4. Consider password managers or tools. Password managers and tools enable your team to create strong passwords without having to worry about forgetting them (typically the reason we choose easy passwords). Further, with appropriate monitoring, some password managers can alert security professionals when created passwords are not strong enough or do not follow security guidelines.
5. Increase password length. Some experts are recommending using passwords of 20 characters. This is easily enabled if you follow the recommendation in #2 above and use a sentence converted to a password. Not only has academic research shown that longer passwords are harder to hack, but the FBI recommends this practice as well.
That said, while security recommendations used to recommend users change passwords every 90 days, that protocol is no longer stressed, particularly when other stringent measures are in place to create strong passwords that make it difficult for hackers to exploit a potential security weakness.
How Data Centers Can Boost Your Business Security
One way you can help protect your system is to ensure that your security protocols are to partner with a data center that ensures you are compliant with industry best practices and regulations regarding the protection of consumer data. One of the advantages of data centers and colocation partnerships is that data centers are utilizing the most up-to-date physical and logical security measures to ensure the safety of your data.