Brute Force Can Beat Your Weak Passwords

David Ford

Founder

We all know the scenario: the hacker feverishly taps at the keyboard and guesses the user’s password after only a few tries, or a bleeping program fills in the letters of the password one at a time until, within seconds, they’re in.

Unfortunately, this often repeated scene ensures little awareness among non-tech-savvy users of the modern automated methods hackers use to crack passwords. They typically use freely available software to run brute-force attacks on passwords by automatically trying millions of combinations of words, letters, numbers, and symbols over a short period of time.

This is a practical, organised, highly technical criminal activity. Ransomware as a Service (RaaS) is now a genuine threat, where professional hackers offer for sale ransomware variants and lists of credentials for a one-off payment or a share of profits from successful attacks.

Criminals with no technical knowledge can now become influential cyber criminals without the expense or expertise needed to develop their own Ransomware, which increases both the number of attackers and attacks.

This increases the need to strengthen passwords across corporate networks. Over the coming few minutes, we’ll explain the Eloquent way of creating passwords.

How to Create Stronger Passwords

Stay away from obvious passwords. Do not use sequential numbers or letters; never use the word password, even if you change letters for numbers or add your birth year. It will be cracked in seconds and the hackers will know you probably use it or something similar for all your accounts and they will target all of your other password-protected assets.

Make it long—You should always try to make your password at least 15 characters long. If an account set-up limits you to a shorter password, think again and maybe go elsewhere.

Mix it up—The more you combine upper-case and lower-case letters, numbers, and symbols, the stronger your password will be, especially if it’s 15 characters or more.

Be careful with substitutions—Do not just swap obvious letters in a word for numbers, like Pa55word. This is known as ‘leetspeak’ and will not fool hackers unless you make it random.

Avoid simple keyboard patterns—Avoid sequential letters and numbers, as well as sequential keyboard paths and patterns like QWERTYUIOP or ZxcvbnM, which can be easily cracked.

Security-conscious websites will encrypt their users’ passwords, so if data is compromised, no actual passwords are uncovered. Many websites do not go to such lengths, so carefully assess sites before setting up an account and sharing your data. Does it have https and the padlock in the address bar? Do they appear to take security seriously?

Beyond Simple Brute Force

Eloquent will help you defeat a simple brute-force attack, but there are other attack methods to be aware of, like a dictionary attack, which tries millions of words to crack the code.

To defeat such an attack, you must use more than a single-word password and choose multiple words in random combinations, like the what3words app. The more obscure, the better, and make it a different password every time.

Choose a simple but impossibly complicated password-creation process and stay up to date with the latest intelligence on new cyberattack methods. Here are a few example processes to get your creative juices flowing.

Choose a Rule and Stick to it

Start with a simple sentence like, ‘My first pet rabbit was brown and called Flopsy’. Then, apply your chosen rule, such as using just the first two letters of the words, giving you the 18-character password: Myfiperawabrancafl.

Or, using the same rule, ‘Our business address is 43 South Road Newark Notts’ becomes Oubuadis43SoRoNeNo.

It doesn’t need anything written down; it just requires the user to remember the source sentence and their rule, which combine to make strong passwords that make sense only to the user.

Random Word Combination

This time, simply use a combination of words, ideally unusual and uncommon ones, that make it almost impossible to hack. Again, think What3Words. In fact, you could even use the app for inspiration, like the location of your back door, garage, or office.

Use nouns and proper nouns, such as the names of favourite films, favourite characters, favourite songs, foreign words, pets, etc., to get SwanPepperScrooge.

The National Cyber Security Centre (NCSC) recommends using at least three words, but the more you use and the more random they are, the stronger the password.

Cybercriminals might get Swan, but the combination is likely to defeat even the most advanced hacking apps. Ideally, make the final phrase something that conjures up a mental image to help you remember it. Inserting random characters, such as numbers or symbols, between the words can make it even tougher to crack.

In part two of this blog, we’ll look at the tools available to you and your users to ensure they develop methods to create stronger passwords, minimising at least one of the risks you face in an increasingly dangerous cyberspace.

In the meantime, if you have any questions or concerns about your firm’s cybersecurity, please get in touch now to discuss an Eloquent solution to your problems. Call on 0333 8000 991 or email [email protected]

Share

Unfortunately, this often repeated scene ensures little awareness among non-tech-savvy users of the modern automated methods hackers use to crack passwords. They typically use freely available software to run brute-force attacks on passwords by automatically trying millions of combinations of words, letters, numbers, and symbols over a short period of time.

This is a practical, organised, highly technical criminal activity. Ransomware as a Service (RaaS) is now a genuine threat, where professional hackers offer for sale ransomware variants and lists of credentials for a one-off payment or a share of profits from successful attacks.

Criminals with no technical knowledge can now become influential cyber criminals without the expense or expertise needed to develop their own Ransomware, which increases both the number of attackers and attacks.

This increases the need to strengthen passwords across corporate networks. Over the coming few minutes, we’ll explain the Eloquent way of creating passwords.

How to Create Stronger Passwords

Stay away from obvious passwords. Do not use sequential numbers or letters; never use the word password, even if you change letters for numbers or add your birth year. It will be cracked in seconds and the hackers will know you probably use it or something similar for all your accounts and they will target all of your other password-protected assets.

Make it long—You should always try to make your password at least 15 characters long. If an account set-up limits you to a shorter password, think again and maybe go elsewhere.

Mix it up—The more you combine upper-case and lower-case letters, numbers, and symbols, the stronger your password will be, especially if it’s 15 characters or more.

Be careful with substitutions—Do not just swap obvious letters in a word for numbers, like Pa55word. This is known as ‘leetspeak’ and will not fool hackers unless you make it random.

Avoid simple keyboard patterns—Avoid sequential letters and numbers, as well as sequential keyboard paths and patterns like QWERTYUIOP or ZxcvbnM, which can be easily cracked.

Security-conscious websites will encrypt their users’ passwords, so if data is compromised, no actual passwords are uncovered. Many websites do not go to such lengths, so carefully assess sites before setting up an account and sharing your data. Does it have https and the padlock in the address bar? Do they appear to take security seriously?

Beyond Simple Brute Force

Eloquent will help you defeat a simple brute-force attack, but there are other attack methods to be aware of, like a dictionary attack, which tries millions of words to crack the code.

To defeat such an attack, you must use more than a single-word password and choose multiple words in random combinations, like the what3words app. The more obscure, the better, and make it a different password every time.

Choose a simple but impossibly complicated password-creation process and stay up to date with the latest intelligence on new cyberattack methods. Here are a few example processes to get your creative juices flowing.

Choose a Rule and Stick to it

Start with a simple sentence like, ‘My first pet rabbit was brown and called Flopsy’. Then, apply your chosen rule, such as using just the first two letters of the words, giving you the 18-character password: Myfiperawabrancafl.

Or, using the same rule, ‘Our business address is 43 South Road Newark Notts’ becomes Oubuadis43SoRoNeNo.

It doesn’t need anything written down; it just requires the user to remember the source sentence and their rule, which combine to make strong passwords that make sense only to the user.

Random Word Combination

This time, simply use a combination of words, ideally unusual and uncommon ones, that make it almost impossible to hack. Again, think What3Words. In fact, you could even use the app for inspiration, like the location of your back door, garage, or office.

Use nouns and proper nouns, such as the names of favourite films, favourite characters, favourite songs, foreign words, pets, etc., to get SwanPepperScrooge.

The National Cyber Security Centre (NCSC) recommends using at least three words, but the more you use and the more random they are, the stronger the password.

Cybercriminals might get Swan, but the combination is likely to defeat even the most advanced hacking apps. Ideally, make the final phrase something that conjures up a mental image to help you remember it. Inserting random characters, such as numbers or symbols, between the words can make it even tougher to crack.

In part two of this blog, we’ll look at the tools available to you and your users to ensure they develop methods to create stronger passwords, minimising at least one of the risks you face in an increasingly dangerous cyberspace.

In the meantime, if you have any questions or concerns about your firm’s cybersecurity, please get in touch now to discuss an Eloquent solution to your problems. Call on 0333 8000 991 or email [email protected]

Share