When we think about an organization getting hacked, we may picture a tech savvy hacker in front of a complicated computer setup. These kinds of hackers do exist, but they’re probably not common! With the rise of hacking services and previously hacked login information available online, the only thing really needed to be a hacker is a willingness to commit a crime.

According to the 2020 report Under the Hoodie by Rapid7, password management and control is the biggest threat to an organization’s network. A weak or ill-defined password policy can lead to openings for attacks like password spraying, where hackers take a few common passwords and pair them with known user names in the hope of finding a match. If users are not forced to have complex passwords, some will rely on weak, easy-to-remember passwords like password1 or autumn2020. And remember–it takes just one weak password to compromise the entire network.

Hackers will also attempt to gain access to accounts by using previously hacked username and password combinations. Often, when a company announces a data breach of passwords, they will note that the passwords were encrypted or “hashed.” This detail is meant to make you feel that your password is still safe and that’s not necessarily true.

Passwords are hashed using a one-way hashing function. A hashed password cannot be decrypted, but that doesn’t mean it can’t be cracked. Hackers may try a dictionary attack which takes likely passwords and phrases, hashing those, and comparing them against the stolen hashed passwords. Another option to crack hashed passwords is through brute force attacks which involves hashing every possible combination of characters up to a certain length.

A complex password can help defend against cracking hashed passwords, but it doesn’t guarantee safety. And, unfortunately, we don’t always find out right away that our accounts have been compromised. If you reuse passwords, multiple accounts will be vulnerable until you learn of the breach and reset that password on all accounts.

Ultimately, the best defense of our networks is multi-pronged. Here are some suggestions in terms of user account management, and specifically, passwords. First, mandate a password policy. Passwords should have a minimum length and complexity requirement. The longer the password, the better. Second, if you can enable multi-factor authentication when logging on outside of the network, do so. This should make it near impossible for someone from the outside to access company resources from stolen/guessed passwords. Third, be sure to lock or disable accounts when employees leave. Former employees may decide to abuse their access if it’s still available. Fourth, monitor for suspicious login activity such as too many attempts occurring in a short time frame or logins from outside of a certain geographical area. These can tip you off to potential bad actors and intrusions. And finally, make sure you communicate the reasons for your password policies and security controls. This can help employees accept a stringent login process.