Brute Force Attacks & Easy to Guess Passwords

Working from home and the general strains to business brought about by the Covid-19 pandemic has brought security back into the spotlight. Security was instrumental to protecting business networks with employees working from home, this became especially important as Covid-19 related cyber attacks were on the rise. One of these security concerns is having a strong password and incorporating a comprehensive password policy. Recently Brazil has reported a 124% increase in Covid-19 related brute force attacks. This article will discuss brute force attacks and the importance of having a password policy in place. 

What is a brute force attack?

A brute force attack or a dictionary attack is a highly automated guessing strategy used to crack your password. It’s reliant on smart dictionaries and using a list of well-known, easy to guess passwords. Most people are now aware that passwords such as ‘password123’ are easily guessed. However, these brute force attacks are constantly evolving and sophisticating. This means that even more seemingly complex passwords can be easily guessed due to emerging tactics such as: 

• Use of password lists – as well as incorporating lists of well-known passwords, hackers will also use a list of compromised passwords. When a company suffers a data breach, hackers will generally sell or publish a list of the compromised passwords from an attack. This attack is also commonly known as a reverse brute force attack.

• General maturing of brute force software – as well as password lists and dictionaries, brute force software is getting better at recognising keyboard patterns and character substitutions. For example, Password123 becomes P@55w0rd123.

What constitutes as an easy to guess password?

• Firstly, the password length is short (less than 10 characters).
• The password does not contain any variation between upper case and lower case letters.
• Similarly, the password does not contain numbers or symbols.
• The password contains common phrases or identifying information (names, birthdays, pet names, the word ‘password’ etc.).

The password contains common phrases or identifying information (names, birthdays, pet names, the word ‘password’ etc.)

A password policy is a set of rules designed to increase the security of the accounts those passwords protect. Weak passwords can be easy to compromise in a brute force attack which is a common tactic used by hackers. The longer and more complex the password, the harder it will be to crack. 

A password policy is a key aspect of any Managed Security solution. The above graph shows how even a seemingly complex password could actually be cracked within a short period of time. Implementing a password policy is extremely important to your business. It ensures all the users on your network are using what is deemed to be a complex, hard to guess password. 

Milnsbridge Password Policy

At a glance, our password policy includes, but is not limited to the following criteria:

• Minimum 16 characters in length.
• Must not contain the user’s account name or parts of the user’s full name.
• Must contain a combination of upper case letters, lower case letters, digits (0-9) or non-alphabetic characters (!,$,%,#).

According to the above graph, using our password policy, your password would take between 37 billion – 1 trillion years to crack.

Whilst brute force attacks are not as common as other types of cyber attacks, they are constantly evolving and improving to compromise your accounts more quickly. A comprehensive password policy and general password education is key to protecting your accounts and business data from being compromised in the case of a brute force attack and any other type of cyber attack.  

To discuss Managed Security and general Managed Services for your business, contact Milnsbridge on 1300 300 293.