The Established Threat of Passwords

Passwords, passwords, and more passwords; this is normally the subject that websites, technology help staff, network administrators, and other computer related experts will harp on the most. I am sure you have seen it at some point, all online accounts and most computer accounts require passwords. Those annoying messages that your password does not meet the complexity requirements. To most people remembering passwords is an inconvenience, we just want to get to where we were going or doing. So, we make the password easy to remember and easy to type or reuse the same passwords. Now this could simply stem from a lack of education on the importance of passwords, especially complex passwords. Account passwords are honestly one of the most important, if not the most important security aspect related to your account. A good comparison, is comparing passwords to physical keys. You wouldn't use the same key for your car, your home, and your gym locker. Normally you use a different key for everything you want to protect. It would also be a good call to use a complex key, to make certain people can't just easily get past the lock. This is the exact mentality that needs to be applied to passwords. A cybercriminal is just like any other human being on the planet; they really don’t want to work hard if they don’t have too. They will attempt to attack the softest points first, and passwords are usually the weakest link in the security chain. Long gone are the days where attackers would attempt to guess passwords, sort of like a friend or family member attempts to guess the passcode to your phone. Now there are easily available tools that will exploit weak passwords.

• Brute Force
• Dictionary Attacks
• Rainbow Table

Brute-force attacks are one of the oldest forms of attacking a password and is still effectively used to this day. Brute-force attacks are also known as exhaustive key search attacks since this attack is so simple, it can be used to target any form of protected data. This technique is so versatile because it works by processing and calculating every single possible combination and testing it to see if it is the correct combination. The process starts off by doing one character with every possible combination of letters, symbols, or numbers. Next the same process for two characters, then three characters and it keeps building upwards. Now I know what you are thinking, this sounds really time-consuming. You are right, if it were a human was doing this process, it would take a very long time. However, with the power of computers and automation, the invader can carry out this attack quickly and effectively. Simple utilities like John the Ripper are capable of carrying out hundreds to thousands of password attempts a second. Not only that but cybercriminals truly have all the time they need to attempt to crack a password because the reality is the user will most likely not make an attempt to change the password until it is too late.

The next form of attack is simply an improvement upon brute-force. It is called a dictionary attack. A dictionary attack is a brute-force attack that uses a list of words and password combinations. It then applies every single word in the dictionary in an attack against your password, looking again for a correct match. Even more advanced dictionary attacks will take words from the dictionary and apply common password conventions to them, for example throwing numbers or birth dates on the end of words. It’s a given that the entire actual Webster’s dictionary is included in these dictionary attacks but also cybercriminals will include password lists from websites and data breaches to the list as well. I have seen a password list for dictionary attacks that contained over 982 million combinations.

The final commonly implemented style of attack is called a rainbow table. This style of attack is more complex. For the purpose of this blog post I will keep my explanation relatively simple, for those looking for more a more in-depth explanation, please refer to this article from Andy O'Donnell of Lifewire. Encryption is used to protect passwords from being readable to the human eye, it takes a password of “example” and turns it into “1a79a4d60de6718e8e5b326e338ae533”. This new form of the encrypted password would be called a password “hash”, hashes are designed to not be easily reversible in case they are ever stolen. A rainbow table is basically a large dictionary but instead of having words, it contains pre-calculated hashes that refer to actual passwords. This way an attacker just has to submit the hash to the rainbow table, look for a match and then simply obtain the password.

These are some common forms of attacks that cybercriminals will attempt to launch against your password. Greg Edwards points out possible remediations in Passwords, Passwords, Everywhere. At WatchPoint Data, we not only help secure your endpoints and network, but we will also help with education on cyber security. We will help you create strong password policies and educate users on the importance of complex passwords. A helpful password checking utility that I recommend to clients is the Kaspersky password checker. It is not only entertaining but very accurate on how secure a possible password may be. I would advise you to enter a possible password you would use, and see how secure you are. I challenge you to create a password that would take multiple years to crack, if not longer. 

With WatchPoint's Security Solution you will:

          Know someone is securing your business.

          Have true visibility into your digital assets.

          Have a support staff dedicated to safeguarding your network.