How long do you think it would take for someone to guess your password? Let’s say they knew you well. You’d start with combinations of your pet names and birth date, or where you work and your town. They might spend hours trying combinations, but the likelihood is, they wouldn’t independently be able to guess it.
But as research has shown, the deeper issue is that hackers who are after user’s passwords aren’t sitting around “guessing” based on birthdays or street names. However, in some targeted attacks—directed for a specific company or select employee within an organization—hackers will consider relevant dates, office addresses, or keywords product names to create a customized cracking dictionary to access the network.
There are other strategies too. Sometimes hackers use popular passwords to engage in password spraying. With this technique, threat actors “spray” thousands of usernames with a common password. They assume that within a large group, there will be at least one user with a common password. Based on research by the National Cyber Security Centre, hackers are often making a good bet: 75% of participants’ organizations had accounts using a password from the top 1,000 most common list.
Computers can guess more than 100 billion passwords per second.
This means hackers are using computing power, combined with lists of weak or popular passwords, as well as sets of compromised credentials bought on the dark web to quickly access accounts without the user even knowing they’ve been hacked.
Cybercriminals have many methods for utilizing this type of computing speed. One of the most common tactics is a brute force attack, where a hacker tries to gain access to systems by bombarding them with as many password combinations as possible. Password spraying, credential cracking, and credential stuffing are all techniques used with the name nefarious goals in mind. They are ever-evolving as hackers try to stay several steps ahead.
Once a hacker obtains a password, a set of credentials, or other personal details, not only does it get easier to completely take over a user’s online identity, it also makes the information more valuable to others. The result? Lists upon lists of user credentials available for sale on the dark web.
Hackers capitalize on the many bad habits that the average user indulges in. It turns out, despite the opportunities for security that passwords provide, we are often our own worst enemies. The vast majority of people openly admit to re-using passwords, and the weakness of passwords is a rampant problem as well. No matter what size enterprise you own or work for, know that each employee’s password is a possible vulnerability.
All of these factors are creating a perfect storm for hackers around the globe. Having weak passwords, and then reusing them cross-platform and cross-device, makes personal data a tempting and accessible target for criminals. Even entertainment accounts like streaming services, hotel or airline membership accounts, and social media, are extremely important to secure, as often payment details are stored within those systems. Demographic data scraped from these sites and apps are also popular on the dark web.
Information like the above reminds us that no matter how strong you think your password is, it’s good practice to listen in on the conversations happening around cyber hygiene and evolving security measures. This holds for employees of companies of any size as well as for government and healthcare organizations.
It’s easy to scan an article like this one and feel a little more alarmed. Be comforted that by acting sooner rather than later, you can help yourself and your organization to stay secure.
Here are three quick tips to take to your next planning meeting:
- Consider using a password manager, so that you can have strong, unique passwords for each site, but not be caught up in trying to remember them all yourself.
- Individually, or as an organization, use a credential screening service to know if your password has been compromised or found on the dark web.
- If you can, choose a longer passphrase that is easy for you to remember, instead of something arbitrarily complex!