Password cracking refers to using various methods to discover computer passwords. In some situations, this may be legal, such as when someone forgets the password to their computer or USB, but many times it's used by computer hackers to get access to accounts or machines that don't belong to them. Since password-based attacks are a lot less complicated than other hacking methods, it's become trendy. It's estimated that 63% of data breaches result from weak or stolen passwords. Since almost every user and every account has a username and password associated with it, it's a very reliable attack surface for attackers. They know it will be there, and since many people use very basic passwords, there's a good possibility that the hackers will be able to guess the password using modern-day software. To prevent this, organizations must implement controls around user passwords to make it more difficult for hackers to access the company through a user's account. Here are ten tips for defending against password cracking:
1) Enforce a Password Policy
A password policy means that you create a set of rules and requirements that users must follow when they make and use their passwords. Some simple things to include would be to mandate that the password be a minimum length, use complex characters, and have numbers. In addition to this, you may also want to ban passwords that include common patterns such as password, 123456, etc. This way, your users are less likely to be victims of a dictionary attack that tries commonly used passwords. Also, you want to make sure that people rotate their passwords every six months and can't reuse them. People should always have to create brand new passwords.
2) Enforce login limits
Every software application or login portal that you use should have a login limit. So people can't continually attempt to guess a user's password until they have success. Typically people set a limit of 3-5 attempts before the account gets locked and reset by sending a message to their email.
3) Add salt to your password hashes
Salting a password is a cryptographic term for adding input to a hashing function. The purpose of adding this random information is to protect hashed passwords that are using a rainbow table. It uses pre-computed password hashes to try and guess the correct password. Adding a random piece of information to all password hashes makes it so that they don't match up to the pre-computed in the rainbow table, even if the password is the same.
4) Enable MFA
Another way to protect your password is to add an extra layer of protection. In addition to a username and password, multi-factor authentication asks you another piece of information to log in. The easiest way people do this is through a code sent to your email or your phone. Other authentication methods of doing this can include having a keycard, fingerprints, or retinal scan.
5) Geo-Lock accounts
If the account is relevant, you can take steps to geo-lock the account. For example, the user must log in from a particular geographical location or IP address. Therefore, you can significantly reduce the number of people that can even attempt to crack that password.
6) Change default passwords
Default passwords are one of the most significant attack vectors for password cracking. The reason being is that you can easily google a particular software/platform and find out what the default passwords are for that service. Then if you can get access to a login portal of a target, you can enter that password in, and if someone has failed to change it, they can immediately get access. Hence, you want to make sure that you change default passwords where possible and make it mandatory for users to change default passwords assigned to them when they first log in to any of your services.
7) Never share your password
It would help if you never share your password with anyone, so anyone has the possibility of using it to compromise your account. In a corporate environment, this is called an insider threat, someone inside the company, such as a co-worker that may use your password to get into your account and do something they aren't supposed to.
8) Use a password manager
Password managers ensure that users have strong passwords and keep safe passwords. Password managers are also very convenient. Many browsers like google chrome come with a built-in password manager. These passwords are typically very secure, and some also provide notifications about things such as if your password has appeared in a data breach.
9) Monitor the web for leaked passwords (GitHub and data leaks)
Many times through data breaches on other websites, a user's password can get leaked. Since many people reuse passwords across multiple accounts, their business/corporate email is compromised due to a data breach on another website. Also, companies that hire many developers will often accidentally commit code to GitHub with corporate usernames, passwords, and other access keys. Consequently, you must have programs that can monitor the web for leaked passwords to remove or change them before they can get hacked.
10) Monitor accounts
The last tip for protecting against password cracking is to monitor user accounts. You must keep track of how many failed logins accounts have, how devices are being used for loggings, where geographically people are, what time the logins are occurring and what is being done on the account. These factors can indicate that someone is trying to hack into the account or has successfully hacked into the account. In addition, you should have a threshold where if a particular activity fits well outside of the pattern for that user, it should raise an alert to be looked at further. For example, excess failed logins, repeated logins outside standard work hours, logins on unknown devices, etc. All of these can be indicators of compromise for user accounts.