Back to Basics: Protecting Your Business With Good Password Management
Lincoln Spector, journalist at PC World, was posed an interesting question by a reader last week: would brute force attacks–which tries random text strings until one turns out to be your password–work on major websites like Facebook, Twitter, etc.?
While brute force attacks do happen, Spector pointed out that it’s actually quite an inefficient method of hacking–social engineering, where a user it tricked into giving a password, is far easier and much less effort on the part of the cybercriminal. Spector also points out that brute force attacks with major websites like Facebook is much more difficult, considering that they would likely catch on very quickly and shut down any vulnerabilities. Spector writes:
“As a rule, websites don’t lend themselves to brute-force attacks. Each guess at a password will take several seconds to come up true or false. At that rate, even hacking a four-digit number could take 15 to 20 hours. And long before that, any decently-designed site will recognize what’s going on and shut down the account.”
When brute force attacks are successful, it’s usually because the user has an extremely simple password such as “123456”, or even “password.” With a long and complex password, brute force attacks become much more difficult.
While the article refers to social media sites, businesses should implement strong requirements for employee passwords, particularly when it comes to anything to do with online banking or any type of AP solution.
Although brute-force attacks are far less common than social engineering attacks (i.e. phishing), it’s still not something that should be ignored. Here is a list of password tips that you should consider to protect your business from all types of threats–not just brute-force attacks. You can also take a look at security firm SplashData’s annual “Worst Passwords” list and learn exactly what NOT to do.
Longer is better: experts recommend that passwords should be at least 8 characters long, with both upper case lower case letters, as well as special characters. A good password manager can help you come up with a strong password.
Keep it to one machine: never type your password into another person’s computer, even if it’s a fellow employee. They could very well have a keylogger installed, and you wouldn’t know it.
Keep it unique: using the same password for multiple sites, especially when it involves your banking or AP solution, is never, ever a good idea. If a hacker gets a hold of your password, then they will often try those credentials on another site to see if it works.
Lose the personal info: many people use personal details in their passwords in order to make them memorable. Whether it’s a pet name, a family member’s birthday, or a summer camp you attended as a kid, all of this info can be found out through a quick Google search. Passwords like this are easily crackable, and not just by brute force–those who know the details of your personal life could easily figure out an obvious password.
Just say no: when a browser asks to save your password, always say no–the most widely used Trojans know exactly where to look for passwords.
Change is a good thing: make sure to change your passwords periodically, and never keep the same password on the same site for more than a year.
Sharing isn’t always caring: the first thing anyone ever tells you is to never share your password, and at this point, it should seem like common sense. However, it always bears repeating. Why? Because according to a recent study done by Webroot, 4 in 10 respondents shared their password with another person in the past year. Never, under any circumstance, share your password–even with a loved one.