In a world governed by data privacy rules, businesses are going beyond the use of passwords to secure their systems.
Despite these efforts, more than 80% of all hacking incidents still use weak or stolen credentials to breach computer systems, according to a 2018 Verizon report.
Passwords continue to be one of the “principal means of defense – and areas of weakness” among security standards established today, pointed out experts from Okta, developer of a cloud-based identity management software.
Okta reviewed the password policies (not the actual passwords) of clients to gauge whether their “policy complexity [was] good enough to mitigate online credential-based attacks”, namely:
- Password spraying
- Brute force attacks
- Credential phishing
Password spraying uses general terms, such as ‘password123’ or ‘password1’ and ‘password2’, across multiple targets. Brute force attacks, in contrast, fire away with a specific list of passwords aimed at a single target.
Since the average password policy requires alphanumeric, case-sensitive combinations of the upper case A to Z, lower case a to z, and digits 0 to 9, hackers would take approximately 7,000 years to work their way through all possible combinations using the 62 characters, Okta researchers said.
Cyber attackers, however, aren’t that stupid – if previously compromised credentials haven’t yet been dumped on the dark web, chances are, hackers would instead resort to more sophisticated tools such as password-guessing algorithms to pry open your locks.
Some hackers might even devise a ploy – through phishing – to get users to give up their credentials on their own. The method often includes a data entry form, such as a dummy login page, where account owners are duped into entering their credentials. From there, hackers steal the login info.
How can businesses and their employees up their defense against cyber attacks? Okta recommends three ways:
- Increase the minimum password length and complexity
- Enforce policies that exclude common or previously breached passwords
- Enforce multi-factor authentication (MFA) on all logins, requiring additional proofs of identity/ownership
“One of the most secure ways to effectively mitigate all credential-based attacks is by combining strong password policies with MFA,” Okta said.