What's the most valuable data your company possesses? It might be customers' credit card information, intellectual property such as patents or trade secrets, or internal reports such as financial details.
Whatever it is, it's bound to be of interest to hackers, so it's vital that this data is well protected. But often, smart criminals know the simplest way to access this information isn't through complex hacking techniques to break into databases, but to walk through the front door. In other words, acquiring legitimate usernames and passwords and simply logging in to a database or other system is by far the easiest way to extract confidential data or do damage.
All employees should know about the dangers of using weak passwords, but hackers have a range of tactics they can use to try and figure out what login credentials users have chosen. Therefore, it pays to understand what these methods are, so you can put in place the right protections to stop them.
Here are four you need to be aware of:
1. Dictionary attacks
The most basic type of attack, this involves hackers simply trying all the most likely passwords - the familiar words that can be found in any dictionary. Automated tools run through combinations of common words with known or guessed usernames looking to find a match. However, it won't just restrict itself to single words, so if your password is 'letmein', for instance, you'll be found out very quickly.
These attacks are relatively fast and easy for hackers to attempt, but the best way to avoid them is to make your password complex. Adding elements such as upper and lower case letters, numbers and special characters can defeat most dictionary attacks - though the simplest substitutions, such as replacing a letter O with a zero, will be taken into account by most hackers.
2. Brute force
This is similar to a dictionary attack, but whereas dictionaries restrict themselves to familiar words, a full brute force attack takes into account any random combinations and can be expanded to include special characters. These take much longer than dictionary attacks and require a lot of computing power, but given enough time and resources, a persistent hacker can often break through.
The best defense against a brute force attack is length. An eight-character password, even if it's something random like 'G7p0k$r3' will be cracked very quickly by an effective brute force attack, so ideally you need at least a 15-20 character password to be safe. A random string of letters and numbers this long will of course be almost impossible to remember, so this is where a password manager comes in handy.
At this length, using three or four random words can also be effective, as dictionary attacks become less effective - a 20-character password made up of three words offers far more potential combinations than a 10-character, two-word phrase, even if all the component words can be found in the dictionary.
Instead of trying to guess a password, keylogging involves installing malware on a machine that can record every keystroke a user types in. So when they log in to a service using their credentials, a record of what keys they pressed is created and sent directly to the hacker.
Though it has a variety of uses, keylogging is particularly effective at compromising passwords, so it must be taken seriously. While toughening up anti-malware protections to prevent the attacker entering a network in the first place is a good start, they can also be avoided with the use of password managers, which can automatically fill in the username and password fields without the need for manual entry that can be recorded by the keylogger.
4. Social engineering
Another relatively simple way to acquire passwords is to simply trick individual users into handing them over. This can often be achieved through techniques such as phishing, which entices users to log in to a fake website, thereby gifting hackers their username and password combination, but it's far from the only deceptive tactic used to get people to hand over their data willingly.
Even techniques such as phoning up employees and claiming to be from IT has been known to trick users into handing over their passwords, which should be a reminder that all the technical protections in the world can't help you if you aren't training your staff effectively to spot such tactics. You need to be constantly reminding people of their responsibilities and educating them about the tell-tale signs that indicate someone is not who they claim to be.
Don't rely on passwords alone
The best way to avoid any of the above techniques is to ensure you aren't solely relying on passwords to gain access to critical systems and data. When used on their own, passwords represent a single point of failure that, when compromised, can do immense damage to your business, no matter how strong they are.
Using two-factor or multifactor authentication wherever possible should therefore be a must for any business. This is usually based around the principle that a user should be confirmed by at least two different types of verification in order to gain access.
There are three main types of authentication factor that should be used.
- Something known to the user, which is where traditional passwords or PINs fall into
- Something possessed by the user, such as an ID card, security token or smartphone that can receive a unique code
- An 'inherence' or biometric factor - something that’s unique to the user, such as a fingerprint.
Other factors such as the location of the user can also be taken into account, but the key to multifactor authentication is using verification from at least two separate categories - a password and a separate security question won't cut it, for instance, as these can be compromised in the same way.