Protecting your organization’s security is like fortifying a castle – you need to understand where attackers will attack and how they will try to breach your walls. And hackers are always looking for weak points, whether it’s a lax password policy or a forgotten backdoor. To create a stronger defense, you must think like a hacker and anticipate their actions. Read on to learn more about hackers’ password cracking strategies, the vulnerabilities they exploit, and how you can strengthen your defenses to prevent them.
Analysis of the worst passwords
Commonly used weak passwords are the easiest targets for hackers. Every year specialists provide lists of the most frequently used passwordswith classics like “123456” and “password” appear year after year. These passwords are the fruit of a hacker’s attack strategy. Despite years of security warnings, users still use simple passwords that are easy to remember – often based on predictable patterns or personal information that hackers can quickly retrieve from social networks or public records.
Hackers build databases of these common passwords and use them in brute-force attacks, looping through possible password combinations until they find the right one. For a hacker, the worst passwords provide the best opportunity. Let it be a keyboard walk as “qwerty,” or a common phrase like “i love you,” the simplicity of these passwords offers hackers a direct path to accounts, especially if multi-factor authentication is not in place.
How long does it take to crack a password?
The length of time it takes to crack a password largely depends on three factors:
- Password length and strength
- The methods used to crack it
- Tools used by a hacker
Hackers can crack short, simple passwords—especially those that use only lowercase letters or numbers—in seconds with today’s password cracking tools. But more complex passwords, such as those that include different types of characters (such as upper and lower case letters, symbols, and numbers), are much more difficult to crack and take much longer.
Brute-force attacks and dictionary attacks are two of the most popular hacking methods for cracking passwords.
- In a brute force attackhackers use tools to methodically try all possible password combinations, meaning a weak seven-character password can be cracked in just minutes, while a more complex 16-character password that includes symbols and numbers can take months, years , or even longer hack.
- U dictionary attackshackers use a predetermined list of common words or passwords to guess the correct combination, making this method particularly effective against commonly used or simple passwords.
Are you wondering how many of your end users are using weak or cracked passwords? Scan your Active Directory for free with Specops Password Auditor to identify duplicate, empty, identical, cracked passwords and other password vulnerabilities.
Password risk management
What is the biggest password security risk in your organization? User behavior. End users have a tendency reusing passwords for different accountsor use weak or easy-to-remember passwords, giving hackers a big advantage. Once a hacker has cracked the password for one account, they will often try the same password on other services, a tactic called credential dumping. What if users reused the password for multiple sites? They have effectively given hackers the keys to their digital lives.
To manage this risk, your organization must promote good password hygiene. Encourage end users to avoid reusing passwords across sites or accounts. Go beyond user training; implement system protections such as lockout thresholds that limit the number of failed login attempts. Additionally, implement multi-factor authentication for end users and deploy strong password policies that enforce length, complexity, and frequency of change.
Passphrases and identity verification
As hackers and their tools become more sophisticated, organizations are forced to rethink their password structures. Enter the era of passphrases—combinations of unrelated words that are easy for users to remember but difficult for hackers to guess. For example, a passphrase like “hardwood llama spaceship” is much more secure than a short password made up of random numbers and letters, but it’s also easier for users to remember.
The length of a passphrase (often 16 characters or more) combined with the unpredictability of word combinations makes brute force or dictionary attacks much more difficult to succeed. You can find more tips at help end users create passphrases here.
Also consider implementing identification measures to add another layer of security. Requiring users to verify their identity via email or SMS verification adds extra protection even if hackers compromise the password.
Think like a hacker to defend like a pro
By thinking like a hacker, you can better understand how to make things harder for them. Hackers take advantage of weak, re-used passwords and predictable patterns by exploiting users who ignore password best practices or don’t enable MFA.
A strong security policy is the foundation of strong password protection – and Specops Password Policy it’s a simple solution to help you customize your requirements. Your organization can meet compliance and regulatory requirements, configure password options, create custom dictionaries, enforce passphrases, and even continuously scan your Active Directory for over 4 billion compromised passwords.
To effectively defend against these attacks, your organization must close the gaps. Encourage users to use long, unique passphrases that will be difficult for hackers to guess. Implement identity verification methods for added security. And take advantage of industry-leading tools to help you enforce advanced password security practices.