Defending your organization's security is like fortifying a castle—you need to understand where attackers will strike and how they'll try to breach your walls. And hackers are always searching for weaknesses, whether it's a lax password policy or a forgotten backdoor. To build a stronger defense, you must think like a hacker and anticipate their moves. Read on to learn more about hackers' strategies to crack passwords, the vulnerabilities they exploit, and how you can reinforce your defenses to keep them at bay.
Analysis of the worst passwords
Weak, commonly used passwords represent the easiest targets for hackers. Every year, experts provide lists of the most frequently used passwords, with classics like "123456" and "password" appearing year after year. These passwords are the low-hanging fruit of a hacker's attack strategy. Despite years of security warnings, users still use simple, easy-to-remember passwords—often based on predictable patterns or personal details that hackers can quickly glean from social media or public records.
Hackers compile databases of these common passwords and use them in brute-force attacks, cycling through likely password combinations until they hit the right one. For a hacker, the worst passwords provide the best opportunity. Whether it's a keyboard walk like "qwerty," or a common phrase like "iloveyou," the simplicity of these passwords offers hackers a direct path into accounts, especially when multi-factor authentication isn't in place.
How long does it take to crack a password?
The length of time it takes to crack a password largely depends on three things:
- The password's length and strength
- The methods used to crack it
- The tools the hacker is using
Hackers can crack short, simple passwords — especially those that use only lowercase letters or numbers — in mere seconds using modern password-cracking tools. But more complex passwords, like those that incorporate different character types (e.g., upper and lowercase letters, symbols, and numbers) are much more challenging to break and take far longer.
Brute force and dictionary attacks are two of hackers' most popular password-cracking methods.
- In a brute force attack, hackers employ tools to methodically try every possible password combination, which means that a weak, seven-character password can be cracked in just a few minutes, while a more complex, 16-character password that includes symbols and numbers may take months, years, or even longer to crack.
- In dictionary attacks, hackers use a predefined list of common words or passwords to guess the right combination, making this method particularly effective against frequently used or simple passwords.
Interested to learn how many of your end users are using weak or compromised passwords? Scan your Active Directory for free with Specops Password Auditor to identify duplicate, blank, identical, compromised passwords and other password vulnerabilities.
Managing password risk
What's your organization's biggest password security risk? Users' behavior. End-users have a tendency to reuse passwords across accounts, or to use weak or easy-to-remember passwords which gives hackers a huge advantage. Once a hacker has cracked a password for one account, they will often try the same password across other services—a tactic called credential stuffing. And if users have reused the password for multiple sites? They've effectively given the hacker the keys to their digital life.
To manage this risk, your organization should promote good password hygiene. Urge end-users to avoid reusing passwords across different sites or accounts. Go beyond educating users; implement system safeguards like lockout thresholds that limit the number of failed login attempts. Additionally, implement multi-factor authentication for end-users and deploy strong password policies that enforce length, complexity, and change intervals.
Passphrases and identify proofing
As hackers and their tools have become more sophisticated, organizations are being forced to reconsider the compositions of passwords. Enter the era of passphrases — a combination of unrelated words that are easy for users to remember but hard for hackers to guess. For example, a passphrase like "hardwood llama spacecraft" is much more secure than a short password comprised of random numbers and letters, but it's also easier for users to recall.
The passphrase's length (often 16 characters or more) combined with the unpredictability of the word combination, makes it much harder for brute-force or dictionary attacks to succeed. You can find more advice on helping end users create passphrases here.
Also consider implementing identity-proofing measures to add another layer of security. Requiring users to verify their identity via email or SMS confirmation adds further protection that even if hackers compromise a password.
Think like a hacker to defend like a pro
By thinking like a hacker, you can better understand how to make things harder for them. Hackers thrive on weak, reused passwords and predictable patterns, exploiting users who ignore password best practices or don't enable MFA.
Solid security policies are the foundation of strong password protection — and Specops Password Policy is a simple solution that helps you customize your requirements. Your organization can enforce compliance and regulation requirements, customize password rule settings, create custom dictionaries, enforce passphrases and even continuously scan your Active Directory for over 4 billion compromised passwords.
To effectively defend against these attacks, your organization must close the gaps. Encourage users to implement long, unique passphrases that will be difficult for hackers to guess. Implement identity proofing methods to provide additional security. And take advantage of industry-leading tools to help enforce password security best practices.