Unless you’ve been living under a rock, you’re bound to have heard warnings about password security. Never share your password. Never use the default password (like Relish01). Never use an easy-to-guess password (like 123Password or Sarah1984). No matter what industry you work in, chances are, you’re hearing more about these password “rules” at your job. High-profile security breach scandals, like the Talk Talk information breach and the Sony hack, have more business owners and companies taking steps to ensure that their network, and the sensitive information stored on it, is safe and secure.
Although most people do their best to adhere to their employers’ password security guidelines, many are still unsure of why these password protocols are even effective. I recently worked with a small building construction firm to help them get up to speed on security protocols. One of the questions asked during our initial meeting helped to give me some perspective on how password security is still viewed by many people today.
“I work in accounts. I understand I shouldn’t leave my passwords just lying around my desk, because a colleague could use my login. But I don’t understand how using a longer, more complicated password (with a capital letter, number, symbol etc.) would make any difference. No one could guess my password.”
I kept my composure and explained that hackers are always trying to get their hands on sensitive financial information; it’s what they do. Understanding how they do it is key to understanding why complicated passwords and more advanced security techniques like multi-factor authentication are now more important than ever before.
So, how do hackers go about stealing passwords in order to infiltrate a network and gain access to sensitive information like the database, banking information etc.? Today, there are three common methods used to break into a password-protected system:
1. Brute Force Attack
The hacker uses a computer program or script to try to log in with possible password combinations, usually starting with the easiest-to-guess passwords. If a hacker has a company list, he or she can easily guess usernames. If even one of the users has a “123Password”, the pesky hacker may eventually be able to get in.
2. Dictionary Attack
A hacker uses a program or script to try to login by cycling through combinations of common words online word banks.
“In contrast with a brute force attack, where a large proportion key space is searched systematically, a dictionary attack tries only those possibilities which are most likely to succeed typically derived from a list of words from dictionaries. Generally, dictionary attacks succeed because many people have a tendency to choose passwords which are short (7 characters or fewer), such as single words found in dictionaries or simple, easily predicted variations on words, such as appending a digit.”
3. Key Logger Attack
A hacker uses a program to track all of a user’s keystrokes. And at the end of the day, everything the user has typed—including their login IDs and passwords—have been recorded. A key logger attack is different than a brute force or dictionary attack in many ways. Not the least of which, the key logging program used is malware/or virus that must first make it onto the user’s device (often the user is tricked into downloading it by clicking on a link in an email). Key logger attacks are a little different because a stronger password doesn’t provide much protection against them, which is one reason that two-factor authentication (2FA) is becoming a must-have for businesses.
With two-factor authentication (also called multi-factor authentication, 2FA and advanced authentication), a user is required to not only provide a password to gain access to the system, but also a another security “factor,” like a unique one-time access code generated from a token device or secure mobile app on their smartphone. A network protected by MFA is nearly impenetrable to an outside attack; even if a hacker is able to attain a system password, the hacker won’t be able to provide the needed second security factor.
The use of two-factor authentication is growing rapidly. Facebook, Google, PayPal now all offer 2FA options. The security guidelines for many agencies and industries (including financial insinuations, online retailers, and the MI5) require 2FA for anyone trying to log in off-site.
Nazrul Hoque – 01 March 2019