Under Lock and Key | How Do You Choose a Strong Password?

Keep Your Business Data Secure with Strong Passwords

Why is ‘beef stew’ not a good choice for a password? It’s not stroganoff.

Sorry – terrible joke and to be fair, passwords and security are no laughing matter. Cybersecurity should be the forefront of every business’s operations. The threat of a criminal accessing your data is very real and can carry devastating consequences. One of the easiest weaknesses for a hacker to exploit? Weak passwords. However, despite warnings that cybersecurity threats are becoming more sophisticated and therefore even more of a risk for businesses, a worrying amount of people are still using passwords that are easy to guess. A recent study conducted by Cybernews, examined 56 million breached and leaked passwords in 2022 and discovered that the password 123456 was used in 111,417 cases. We’re going to take a look at the main risks associated with weak passwords and help you to avoid them by sharing some tips on how to pick strong passwords that keep hackers out.

How Can Passwords Be Hacked?

Even with the introduction of more advanced security measures, such as biometrics, facial recognition and multifactor authentication, passwords are still one of the most commonly used solutions to prohibit access to data. When used properly, they can be very efficient, however we live in an age where cybercriminals have an arsenal of techniques for stealing passwords and gaining access to data. Let’s take a look at some of the most common password hacking methods and how to avoid falling victim to them!

1) Credential Stuffing

Also known as ‘list cleaning’, credential stuffing works by testing databases of stolen passwords and usernames against multiple accounts to try and find a match.

How Does Credential Stuffing Work?

Think of all the websites you have an account with – there’s probably too many to remember off the top of your head right? From e-Commerce sites to insurance websites and social media, there are so many websites that boast lists of thousands, even millions of user log in information. Sites that lack strong security are regularly breached by cyber criminals who steal this information to sell on to other criminals. It’s common for users to utilise the same password across several sites, so once a cyber criminal finds a match, there’s a good chance that they can use these credentials to hack in to a number of other sites, even those that use good cybersecurity measures.

How to Avoid Credential Stuffing

The best method to avoid falling victim to credential stuffing is not reusing passwords. Sounds simple, but choosing a strong, unique password for every site you use, means that if one password is compromised by a security breach, criminals won’t be able to use it to log in to other sites. Now, the thought of having to create and remember complicated passwords for every site you use may cause you to come out in a hot sweat, but don’t worry, we’ve got some helpful advice to make this task a little easier, later on in this post!

2) Password Spraying

Another common form of password hacking, password spraying involves using a list common passwords against a username.

How Does Password Spraying Work?

Similar to credential stuffing, password spraying works by taking a list of user accounts and testing them against a list of commonly used passwords, such as 123456, password123, admin123 etc. This isn’t as targeted as credential stuffing, as with that technique all of the passwords used are known to work for the user they are targeting. With password spraying, the criminal will have a list of usernames, but won’t know what the password is. Furthermore, most sites these days will have security solutions that detect repeated login attempts from the same IP, which will lock the hacker out after so many failed attempts, so hackers will utilise multiple IPs to extend the amount of attempts they can use to log in to an account.

How to Avoid Password Spraying

Just as the technique of password spraying isn’t an exact science, avoiding it isn’t either. The best step you can take is ensuring that the passwords you’re using aren’t in the top 100 most commonly used passwords to start off with (which you can find out with a quick Google search). Secondly, ensure you are avoiding common words, phrases and combinations in your passwords such as:

• Using the word ‘password’
• Combinations like 123456, qwerty, abc
• Business related words, such as ‘admin’ or ‘guest’
• Lines of repeated numbers or letters, such as 111111 or aaaaaa

Thirdly, as we’ve said with credential stuffing, ensure every password is unique and contains a mixture of letters, numbers and special characters, such as !@?%£.

3) Phishing

Did you know that about 90% of data breaches occur due to phishing? This technique is a social engineering trick that tries to fool users into sharing their details by posing as someone else, such as an official organisation like a bank or government agency or an online vendor.

How Does Phishing Work?

Phishing attacks are usually perpetrated via email, which will contain a link to a cloned site or a malicious attachment. Phishing attacks can also be carried out via text and even over a phone call. These days scammers are capable of creating malicious communication that looks so authentic, so anyone can fall victim to them. Somewhere along the phishing process, the scammer will present some kind of fake form or login platform for victims to enter their details in. They will then be able to use this information to log in to the victim’s real account.

How to Avoid Phishing

A good solution to implement is 2-factor or multi-factor authentication, this provides an extra layer of protection when logging into applications, usually in the form of a mobile application or a code that is sent to a device to confirm your identity. Even if a hacker has managed to steal your password, they would have to get past the multi-authentication barrier to gain access to your data.

Prevention is always better than cure, so if you can avoid falling victim to a phishing scam in the first place, this will be much more beneficial. The best solution is to exercise caution when receiving communication, especially from addresses or contacts you don’t recognise. Here are some handy tips for what to do if you receive a suspicious email, text or phone call.

• Financial organisations, such as a bank or HMRC will never request your details via email – if you receive written correspondence requesting this information, it is a clear sign that this is a scam.
• Never click on attachments or links within emails from contacts you either don’t know or aren’t sure of their legitimacy.
• Although scammers are becoming more competent in copying official branded emails that look like the real deal – there are usually some tell-tale signs that it is a fake, such as:
  • Typos in the body text and/or subject line
  • Blurry/skewed images and outdated or low quality logos
  • Discrepancies within the email address

If in doubt, the best course of action is to get in touch with your IT team and report the email, so they can inspect it.

4) Malware

Malware is another common technique that criminals use to steal log in credentials from victims and criminals usually use Phishing as the prime vector for this attack.

How Does Malware Work?

The usual process for this kind of attack is the victim clicking on a fake link in an email, a malicious advert online or even, accidentally visiting a compromised website or downloading a mobile app. There are various different types of malware that are built to steal information in different ways, but here are a few examples of the most common types:

• Keylogging – tracking the strokes directly onto a keyboard or pin pad
• Spying malware – can be used to hack into webcams to watch and record a victim’s activity
• Ransomware – used to block access to a business’s data or system until the business pays the criminal money or meets their demands

How to Avoid Malware

Unfortunately, there is no surefire way of preventing malware attacks, as the technology and techniques that hackers are using are only becoming more advanced and sophisticated. However there are reliable precautions you can take to reduce your risk.

• Install anti-virus and anti-spyware software
• Ensure you’re using secure authentication methods – good password hygiene, multi-factor authentication, biometric tools
• Reduce access to networks and applications to the personnel who require it
• Keep software updated
• Email is a common malware channel, so ensure you are implementing security measures and spam protection
• Educate users on security risks

5) Brute Force

Although the chances of this kind of attack are relatively low, it’s not impossible. Brute force is expensive, time-consuming and tricky to accomplish, so it’s not often used by criminals, but despite the low risk, it’s still good to have an understanding on what it is to avoid falling victim to it.

How Does Brute Force Work?

This technique is something you’re more likely to see in movies and tv shows than in real life. You know the kind of scene we’re talking about: a criminal sits there in a darkened room, furiously typing away on a computer and all of a sudden the code disappears, the password is cracked and is revealed in plain sight on screen. Hackers will usually use a specialised tool to force their way in and steal credentials, but on the whole, there are two main types of brute force techniques that are used:

• ‘Dictionary’ attack – the criminal uses every word in the dictionary as the password, by running them through a programme until they find a match.
• Password hashing – where the hash of a plain-text password is acquired and the aim is to try and find a match by linking up as many plain-text passwords as possible until one matches.

How to Avoid Brute Force Attacks

The first key step you can take to avoid falling victim to a brute force attack, is to avoid short passwords – 16 characters, as a minimum, should be sufficient. However, creating passwords with a character length that meets the maximum limit of the log in platform is ideal, as this will be difficult to target. Now, we understand that having to remember multiple passwords is daunting within itself, but having to remember long passwords of 16 characters or more can seem like an impossible task – don’t worry, we’ll share some tips for this shortly!

What Passwords Are Easy to Guess?

In general, passwords that are short, made up of just letters and use common words or phrases are going to be the easiest to compromise and will make you the ideal target for a hacker. To give you an idea on which passwords you shouldn’t be using, here are the top 10 most common passwords that will be a prime target for all cyber criminals:

• 123456
• 123456789
• qwerty
• Password
• 12345
• qwerty123
• 1q2w3e
• 12345678
• 111111
• 1234567890

See your password in this list? You’re going to want to get that changed ASAP.

Have you noticed some common features in these passwords? They follow patterns, e.g. number sequence, letter sequence on a keyboard or they’re less than 16 characters, easy-to-guess phrases, like ‘password’ and/or contain no special characters.

Which Passwords Are the Most Secure?

We wish we could give you a list of strong passwords that are guaranteed to be ‘uncrackable’ even by the most advanced cyber criminal mastermind, but sadly that isn’t possible. However what we can do is provide the recipe for strong passwords to give yourself the best chance against hackers.

The main characteristics of a strong password are:

• A long password – minimum of 16 characters
• A mixture of:
  • Uppercase letters
  • Lowercase letters
  • Numbers
  • Symbols
• Avoiding memorable keyboard paths e.g. qwerty or 12345
• Avoid using personal information

Another key point to remember is to use a unique password for every single account you own, so if one password does become compromised, hackers cannot use it across multiple accounts.

When Should Passwords Be Changed?

So, you’ve picked strong passwords for all of your accounts, your job is done now, right? Actually, no. It’s also important to remember to change your passwords on a regular basis. It is recommended that you should be changing your password for a new, unique password (not an old recycled one) at least once every 2-3 months. However, bear in mind this recommendation is assuming you’ve not had an issue with security. There are some situations where it is vital that you change your password immediately:

• After a security breach – if your business or an organisation/site/application you work with declares that there has been a data breach, you should change your password as soon as you find out to protect your data.
• Suspicion of Unauthorised Access – if you think someone has tried to hack into your account, such as a notification of a log in attempt that wasn’t you, change your password immediately.
• Malware – change your password as soon as possible, if your anti-virus solution detects malicious software on your computer – try to change your password from a different device, if possible.

Which Password Manager is Best?

Now, we’ve given you a lot of information on how to choose a strong password to protect your data, but what we’ve not told you is how to keep track of these passwords. Honestly, it is a tough job to keep track of a range of passwords that are 16+ characters long and are designed to not be memorable when writing your passwords down is definitely not an option – but it’s vital that you do. So what’s the answer?

Invest in a password manager. This is a secure database that you can use to create and store complex passwords. There’s no need to remember them, as you can simply copy and paste your log in credentials from the password manager platform to the site/application/platform you’re trying to access.

When it comes to choosing the best password manager, it’s important to ensure it includes the following features:

• Encryption of passwords and information stored within the manager
• Password generator
• Secure log-in with master password/multifactor authentication
• Copy and paste function for log in credentials
• Used across multiple devices.

Safeguard Your Data with IT Security Solutions from Netcentrix

From automating your security processes using Microsoft Azure to implementing solutions, such as mobile device management, multi-factor authentication and firewalls to complete audits of your current processes, we’re here to keep your data safe and the hackers out of your network. Our team of expert specialists are capable of analysing your current security operations and will work with you to identify the solutions you need to bolster those operations. We will advise on steps you can take to ensure your team operating in a secure way, such as password management and provide support with any queries you have regarding your business’s data security.

Your business is worth protecting and the threat of a cyber attack is very real.

Contact us today and let our experts help you to ensure your data is kept under lock and key.