Brute force can beat your weak passwords

David Ford


We all know the scenario, as the hacker feverishly taps at the keyboard and guesses the users password after only a few tries, or a bleeping program fills in the letters of the password one at time, until within seconds, they’re in.

Unfortunately, this often repeated scene ensures there remains little awareness among non-tech savvy users, of the modern automated methods hackers use to crack passwords. They typically use freely available software to run brute-force attack passwords by automatically trying millions of combinations of words, letters, numbers and symbols over a short period of time.

This is an effective organised, highly-technical criminal activity, with Ransomware as a Service (RaaS), now a very real threat, where professional hackers offer for sale ransomware variants and lists of credentials, for a one-off payment or a share of profits from successful attacks.

Criminals with no technical knowledge can now become effective cyber criminals, without the expense or expertise needed to develop their own ransomware, which increases both the number of attackers and attacks.

All of which increases the need to strengthen passwords across corporate networks and over the coming few minutes we’ll explain the Eloquent way of creating passwords.

How to create stronger passwords

Stay away from obvious passwords and do not use sequential numbers or letters and never use the word password, even if you change letters for numbers or add your birth year. It will be cracked in seconds and the hackers will know you probably use it or something similar for all your accounts and they will target all of your other password-protected assets.

Make it long — You should always try to make your password at least 15 characters and if an account set-up limits you to a shorter password, think again and maybe go elsewhere.

Mix it up — The more you combine upper-case and lower-case letters, numbers and symbols, the stronger your password, particularly if it’s 15 characters or more.

Careful with substitutions — Do not just switch obvious letters in a word for numbers, like Pa55word. It’s known as ‘leetspeak’ and will not fool hackers, unless you make it random.

Avoid simple keyboard patterns — Avoid sequential letters and numbers, as well as sequential keyboard paths and patterns like QWERTYUIOP or ZxcvbnM,./ which will be easily cracked.

Security-conscious websites will encrypt the passwords of its users, so if data is compromised, no actual passwords are uncovered. Many websites do not go to such lengths, so carefully assess sites before setting up an account and sharing your personal data. Does it have https and the padlock in the address bar? Do they appear to take security seriously?

Beyond simple brute force

Our advice is Eloquent and will help you defeat simple brute-force attack, but there are other attack methods to be aware of, like a dictionary attack, which tries millions of words to crack the code.

To defeat such an attack you must use more than a single word password and choose multiple words in random combinations, a bit like the what3words app. The more obscure the better and make it a different password every time.

Choose a process for creating your passwords, that’s simple but creates impossibly complicated passwords and stay up to date with the latest intelligence on new cyberattack methods. Here are a few example processes to get your creative juices flowing.

Choose a rule and stick to it

Start with a simple sentence like, ‘My first pet rabbit was brown and called Flopsy’. Then you apply your chosen rule, such as using just the first two letters of the words, which would give you the 18-character password: Myfiperawabrancafl

Or, using the same rule, ‘Our business address is 43 South Road Newark Notts’ becomes: Oubuadis43SoRoNeNo

It doesn’t need anything written down and just requires the user to remember the source sentence and their rule, which combine to make strong passwords that make sense only to the user.

Random word combination

This time simply use a combination of words, ideally unusual and uncommon ones, that make it almost impossible to hack, again think What3Words, in fact you could even use the app for inspiration, like the location of your back door, garage, office.

Use proper nouns, nouns, the names of favourite films, favourite characters, favourite songs, foreign words, pets etc., so you get: SwanPepperScrooge

The National Cyber Security Centre (NCSC) recommends using at least three words, but the more you use and the more random they are, the stronger the password.

Cyber-criminals might get Swan, but the combination is likely to defeat even the most advanced hacking apps. Ideally, make the final phrase something that conjures up a mental image to help you remember it. You can make it even tougher to crack if you insert random characters, such as numbers or symbols between the words.

In part two of this blog, we’ll look at the tools available to you and your users to ensure they develop methods to create stronger and stronger passwords, to minimise at least one of the risks you face in an increasingly dangerous cyber space.

In the meantime, if you have any questions or concerns about the cyber security of your firm, please get in touch now to discuss an Eloquent solution to your problems. Call on 0333 8000 991 or email [email protected]