Passwords Continue to Be the Weak Link
When we think about an organization getting hacked, we may picture a tech savvy hacker in front of a complicated computer setup. These kinds of hackers do exist, but they’re probably not common! With the rise of hacking services and previously hacked login information available online, the only thing really needed to be a hacker is a willingness to commit a crime.
According to the 2020 report Under the Hoodie by Rapid7, password management and control is the biggest threat to an organization’s network. A weak or ill-defined password policy can lead to openings for attacks like password spraying, where hackers take a few common passwords and pair them with known user names in the hope of finding a match. If users are not forced to have complex passwords, some will rely on weak, easy-to-remember passwords like password1 or autumn2020. And remember–it takes just one weak password to compromise the entire network.
Hackers will also attempt to gain access to accounts by using previously hacked username and password combinations. Often, when a company announces a data breach of passwords, they will note that the passwords were encrypted or “hashed.” This detail is meant to make you feel that your password is still safe and that’s not necessarily true.
Passwords are hashed using a one-way hashing function. A hashed password cannot be decrypted, but that doesn’t mean it can’t be cracked. Hackers may try a dictionary attack which takes likely passwords and phrases, hashing those, and comparing them against the stolen hashed passwords. Another option to crack hashed passwords is through brute force attacks which involves hashing every possible combination of characters up to a certain length.
A complex password can help defend against cracking hashed passwords, but it doesn’t guarantee safety. And, unfortunately, we don’t always find out right away that our accounts have been compromised. If you reuse passwords, multiple accounts will be vulnerable until you learn of the breach and reset that password on all accounts.