The vast majority of cyber attacks involve compromised credentials; in fact, research estimated just over 80% of attacks were perpetrated in this manner in 2020 alone. The Verizon Data Breach Investigations Report showed in 2022 that again 80% of breaches were the result of weak, stolen, or default passwords. Clearly, those statistics show that we aren't learning our lesson.
The fact of the matter is that it's much easier for a bad actor to gain access to systems when they are able to hijack an already existing user account. This means that preventing password attacks or at least finding ways to reduce the risk are of the utmost importance especially for small businesses.
Common Types of Password Attacks
Before we cover some of the ways to prevent password attacks, it's important that you understand the most common methods attackers are using to target passwords in the first place. By understanding the likely attack vectors, you can better protect your employees and subsequently your small business from the devastating effects of a data breach.
Brute Force Attack
When we mention password attacks, brute force attacks are what likely jumped into your mind first. This is a trial and error process where cybercriminals repeatedly guess passwords in an attempt to gain access to the system. There are many automated password cracking applications available on the dark web, and on average, an 8-character password can be defeated in as little as 8 hours.
Dictionary Attack
A related but slightly more technical approach than the brute force attack is a dictionary attack. This type of password attack relies on both a literal dictionary and a more sophisticated "cracking dictionary." Early versions of dictionary attacks simply used permutations of every word in the dictionary in hopes of compromising an account, and the more advanced approach relies on lists of already leaked or common passwords as the source of base passwords to work from.
Man in the Middle Attack
Continuing our trend of increasingly more complicated scams, a man-in-the-middle attack allows a hacker to intercept information in transit between the user and the system they are trying to access. There are several ways that this can be accomplished, but one of the most common is to simply stand up a public wifi network and monitor the traffic across it. It will amaze you how many people will use a totally unknown network to access all sorts of sensitive information. Don't be one of those people.
Credential Stuffing Attack
The next type of password attack that we'll discuss is similar in nature to the dictionary attack that we just covered. Credential stuffing harnesses lists of user names and passwords that were previously compromised in data breaches. Combinations of these credentials are then applied by the program in the hopes that the user never changed their password or used one of their other already discovered passwords if they did change it. The dark web has a plethora of compilations of compromised credentials available for sale at any given time.
Password Spraying
A password spray attack utilizes a different technique that won't be defeated by failed password lockout policies. Instead of applying multiple passwords to a single user name, password spraying involves guessing the same password for multiple different user accounts. This is most successful when trying to compromise default passwords or new accounts where administrators have assigned simple passwords that have yet to be changed.
Preventing Password Attacks
While some of these attack vectors seem complicated, the best ways to prevent password attacks don't need to rely on an overly technical fix. Many of our best practices are fairly simple to implement and won't break the bank for a small business with a limited cybersecurity budget.
Passphrases Over Passwords
This isn't our favorite solution, but it's one that provides a substantial amount of security for a minor change in procedure. Instead of a password, mandating a passphrase causes several things to happen. The phrase is inherently longer and therefore more difficult to brute force. Including special characters or numbers only further complicates the process for attackers.
Biometric Access
Even more secure than a password or phrase, biometric features rely on your physical characteristics to access a system and are inherently more difficult for a hacker to compromise. It's much harder to copy a face or fingerprint than it is to guess a password. However, there are methods that can still be used by a determined attacker to defeat biometric access controls.
Multi Factor Authentication
Multi factor authentication (MFA) requires a second form of identity verification prior to gaining access to the system. This can be from a code provided by an authenticator app, a text message, an email, or even a phone call. Multi factor authentication should be standard on any system containing sensitive information. Even if credentials are comprised, the attacker would then need to somehow obtain the sent code to gain access to the system. This is even effective in the event of a lost or stolen device.
Password Manager
Hands down, one of the best ways to prevent password attacks is the use of a password manager. There are free and paid options, but even the free software includes some of the most useful features. Strong password generation, financial institution-level encryption, biometric access, encrypted notes, and more are all included in some programs for free. There are even browser integrations and mobile device features in some of the premier offerings. The biggest benefit of a password manager application is the ease of use for you and your employees. It eliminates the two biggest complaints about complex password policies which are coming up with one that meets the parameters and then remembering it for when you need to use it.
Monitor Access in Real Time
You absolutely have to monitor your network traffic to have an added layer of security. No password policy is foolproof, and detecting suspicious activity early is one of the best ways to mitigate further damage. When user accounts are suddenly escalated to having administrator privileges or begin performing functions outside their job duties or at unusual hours, it's a good indication that something nefarious may be afoot.
At E-Marketing Associates, we understand the challenges facing small businesses. We've built our entire business on helping small enterprises leverage marketing to punch above their weight and compete with the big fish. Contact us today for a comprehensive business report for free. This includes an evaluation of your social media, business listings, and more! 14% of small businesses fail because of poor marketing skills, and we've made it our mission to make sure your business isn't one of them.