Password Attacks: How To Prevent Password Cracking

September 28, 2024
Ever wondered how long it would take a cybercriminal to crack your password? For 70% of people, the answer is roundabout a second. That’s right—according to NordPass, in less than the time it takes to reset a forgotten password, a hacker could potentially access your most sensitive data. This is a pretty unsettling statistic, considering a single data breach could cost you a whole lot of money and a whole lot more than money. Data breaches tend to erode customer trust and tarnish your reputation, even if they don’t fully shut down your operations. Can you imagine going through all that simply because someone thought “password123” was secure enough?
It’s easy to underestimate the power of a strong password because the problem with strong passwords is that they’re incredibly inconvenient. With dozens—possibly even hundreds—of accounts to manage, it’s easy to get complacent and either reuse a few faithful old passwords or create ones that are easy to remember. After all, your business isn’t a target, and your IT guy has it all under control, right? Unfortunately, the harsh truth is that cyberattackers aren’t picky about the businesses they target, and neither are their automated systems. They’re after low-hanging fruit, and weak passwords are the lowest of them all.
Thankfully, while the threat is real, so are the solutions. In this article, our IT experts will guide you through the clever (and sometimes alarmingly simple) methods hackers use to crack passwords. We’ll cover what password cracking is exactly, all the methods criminals use, and finally, the tactics you can deploy to keep your accounts safe. Feel free to skip ahead if you’re just here for the protective measures. Otherwise, let’s start with the fundamentals.
What Is Password Cracking?
Password cracking is essentially digital lock-picking. It’s the process of recovering passwords from data that has been stored or transmitted by a computer system. While it can occasionally be used for legitimate purposes, such as recovering a forgotten password, it’s more commonly associated with malicious activities. Cybercriminals employ various techniques to crack passwords, all with the aim of gaining unauthorised access to systems and sensitive information.
Types of Password Cracking
Brute-Force Attack
A brute-force attack is the digital equivalent of trying every possible combination on a padlock. In this method, attackers systematically check all possible passwords until they happen upon the correct one. It’s a time-consuming and resource-intensive process, but it can be surprisingly effective, especially against weak passwords.
Modern computers can test billions of combinations per second, making short or simple passwords particularly vulnerable. This method is often used as a last resort when other techniques fail, but it’s still a significant threat, particularly for high-value targets.
Dictionary Attack
In a dictionary attack, cybercriminals use a precompiled list of common passwords and phrases, known as a dictionary, to guess the password. This method is faster than brute-force attacks but relies on the target using a common password. Attackers often use lists of words from actual dictionaries, along with common substitutions (like “@” for “a” or “1” for “i”), as well as lists of passwords from previous data breaches. That’s right, you’re not the only one who used p@ssw0rd when told you had to use at least one symbol and one number in your password.
This method can be alarmingly effective, given how many people use common words or phrases as passwords. We are alarmingly predictable, so it’s entirely possible that if your password is a real word or phrase with substituted symbols and numbers, it’s sitting in the pages of a cyber criminal’s dictionary.
Rainbow Table Attack
Rainbow tables are computer-generated tables of hash values that represent all possible password combinations. Attackers use these tables to reverse-engineer the original password from its hash value, significantly speeding up the cracking process. This method is particularly effective against systems that store passwords as hashes without additional security measures like salting.
It takes a fair amount of computational power to create and store rainbow tables. However, once generated, they allow for extremely fast password cracking. It’s like having a massive cheat sheet that matches locks to keys, making the process of cracking your password much quicker. So there are huge incentives for cybercriminals to put in the work to create them.
Social Engineering
Social engineering attacks are designed to manipulate you into giving up confidential information. Passwords are a prime target for these attacks. Techniques include pretexting (creating a fabricated scenario), baiting (offering something enticing to drop guard), and tailgating (following someone into a restricted area). These methods rely on exploiting human trust and natural helpfulness.
An attacker might even pose as IT support, asking for a password to “troubleshoot” an issue, or create a scenario that pressures the victim into revealing information. It’s the new, digital version of the old-school street hustle, and it’s just as effective now as it’s always been. Though social engineering attacks happen online now rather than on the street, they still target the weakest link in any security system: human behaviour.
Phishing
Though phishing is a type of social engineering attack, it deserves its own section since it’s such a huge vector for password cracking. Phishing missions involve tricking users into giving up their passwords through fake emails, websites, or messages. Like other social engineering approaches to password hacking, it exploits human psychology rather than technical vulnerabilities. Attackers might create convincing replicas of legitimate websites or send emails that appear to be from trusted sources, asking users to “verify” their account details.
Phishing can be highly targeted (as in whaling attacks that target business owners and CEOs), or it can cast a wide net (as in bulk phishing emails that hit a list of addresses). With both styles delivering successful results for criminals, it remains one of the most common methods of obtaining passwords.
Malware
Malware, such as keyloggers and spyware, can capture keystrokes and monitor user activity, helping attackers steal passwords directly from your device. These malicious programs can be installed through various means, including email attachments, compromised websites, or even physical access to a device. Once installed, they operate silently in the background, recording everything the user types, including passwords. Some sophisticated malware can even capture screenshots or record video of user activity. It’s a direct and often undetectable method of password theft.
Guessing
Sometimes, attackers simply guess passwords based on common patterns or personal information. This low-tech method is surprisingly effective due to the prevalence of weak, predictable passwords. Attackers might use publicly available information about the target (like birthdays, pet names, favourite sports teams, and other things the target is a fan of) to inform their guesses. They also rely on common password patterns, such as “123456” or variations of “password.”
While it might seem too simple to be effective, guessing remains a viable attack method because many users still choose easily guessable passwords for convenience. It’s the digital equivalent of checking under the doormat or in a pot plant for a key—all too often, there’s one waiting for the enterprising criminal.
How to Prevent Password Cracking
As you can see, hackers have quite the arsenal at their disposal when they want to crack a password. However, the good news is that you do too. Here are all the best practices for protecting your passwords (starting with the one you’re probably sick of hearing about):
Use Strong, Unique Passwords for Every Account
We know, it’s tempting to use your dog’s name or your kid’s birthday for everything. But please don’t. Also refrain from using the scientific name of the pot plant in your office, the name of your high school crush, or that lyric from your favourite song. Literally any recognisable word or phrase is inherently weak, even if you replace every “a” with “@” and every “e” with “3”.
Get your employees on board with creating strong, unique passwords for each account. For reference, a truly strong password should:
- Be at least 12 characters long
- Include a random assortment of lowercase and uppercase letters, along with numbers and symbols
- Not be a recognisable word or phrase
- Not be reused for any other accounts
While song lyrics and other common phrases aren’t a good idea, you can use passphrases—longer sequences of random words that are easy to remember but hard to guess.
Make Friends with Multifactor Authentication (MFA)
MFA bolsters your security by requiring users to deliver two or more verification factors before gaining access to an account. The extra steps could include something they know (e.g. a password), something they have (e.g. a security token), and/or something they are (e.g. biometric verification). These extra steps ensure that, even if someone guesses your password, they’ll get stopped at the next checkpoint. If they don’t have the requisite identification, they’ll be stuck.
Multifactor Authentication greatly reduces the risk of hackers gaining unauthorised access to your system, even if they manage to get a hold of someone’s password. However, please do be aware that bad actors won’t just walk away with their shoulders slumped. They often turn to social engineering attacks and other methods to obtain the information required to make it through the MFA steps. So you still need other forms of protection in place.
Limit Login Attempts
If you don’t already have account lockout policies, now is the time to activate them. What you want to do here is limit the number of failed login attempts allowed. This is key to preventing brute-force attacks, as it puts a big, inconvenient barrier up to attackers simply guessing at passwords. After a set number of failed attempts, lock ‘em out. Yes, some legitimate users will have to jump through hoops to get into their accounts when they’ve genuinely lost their password. However, a bit of occasional inconvenience is infinitely better than dealing with the aftermath of a data breach (if you’re curious to know what it’s like to survive a data breach, check out our article covering what happens in the wake of a cyber attack).
Educate Your Team
From employees to freelancers, everyone who accesses your systems needs to be practising good digital hygiene. Your team is your first and last line of defence. So train them on the importance of password security and the risks associated with weak passwords.
Add awareness programs to help prevent phishing and social engineering attacks. Make sure they understand why using their birthday as a password is a bad idea and how to spot potential security threats. Consider running simulated phishing campaigns to test and improve employee vigilance.
Periodically Update Your Passwords
Yes, it’s annoying. No, you can’t skip it. Encourage employees to change their passwords regularly and avoid using the same password across multiple accounts. Systematic updates can mitigate the risk of password cracking. However, you do need to balance this with usability. If you force changes too frequently, employees may quietly start using weaker passwords or writing their credentials down—both of which are bad for business.
Use a Secure Password Manager
Though it’s not the greatest idea to write passwords down on a notepad in your desk drawer, there is one place you can store them safely—a password manager. These secure services can generate and store complex passwords, and they offer multiple layers of encryption and protection, reducing the likelihood of password reuse and simplifying password management for employees. These nifty tools reduce the cognitive burden on employees, making it easier for them to maintain good password hygiene.
Encrypt Sensitive Data
Ensure all sensitive data, including passwords, is encrypted both in transit and at rest. Encryption is central to cybersecurity, making it more difficult for attackers to access and use data, even if they manage to intercept it. This is why password managers are so secure, despite the fact that they are prime targets for cybercriminals. The password manager itself doesn’t have access to your passwords thanks to encryption. This means that even if hackers get into the system, they won’t find much (if any) usable data. Of course, no solution is 100% foolproof. However, with encryption, you have one of the strongest layers of protection out there.
Monitor for Suspicious Activity (or Have an MSP Handle This for You)
Implement monitoring tools to detect unusual login attempts or other suspicious activities. Early detection can help prevent unauthorised access and mitigate potential damage. Look for patterns such as:
- A sudden influx of visitors to your site that stay for only a few seconds
- Multiple failed login attempts
- Logins from unusual locations
- Access attempts at odd hours
The easiest and most effective way to monitor your systems 24/7 is by outsourcing this task to a Managed Services Provider (MSP). This gives you protection not just from monitoring tools but from human IT experts, giving you complete peace of mind that you’ll never have a disaster waiting for you when you log on to a work device (at least not an IT disaster anyway).
Conduct Periodic Cybersecurity Audits
Perform regular audits to detect and take care of potential vulnerabilities in your systems. A security audit and risk assessment will ensure your protective measures are effective and up to date. Think of these as health check-ups for your digital security—catching problems before they snowball into catastrophes. Consider hiring external security experts to perform penetration testing and identify weaknesses in your security posture. Again, an MSP can help you with this as a one-off project.
Know When to Bring in Expert Help
The easiest way to get all the best defences in place is to work with a Managed IT Service Provider like Invotec. We promise straightforward, buzzword-free advice and a cybersecurity strategy tailored to your company’s specific needs. Whether you want affordable 24/7 monitoring or help with a cybersecurity audit, we’d be happy to chat. No hard sell, no technical jargon – just solid advice from people who live and breathe IT so you don’t have to.
Book a FREE Consultation
When you choose Invotec, we want you to feel 100% confident. That’s why we offer a free consultation for all schools, to see if we’re a perfect fit. Request your free consultation today and take the first step towards better IT Support.