Passwords can be a point of contention for many companies. Employees complain about having to change passwords frequently. Many decide to create easy-to-remember passwords that meet the minimum requirements set by the system. For example, they change their passwords by incrementing the number at the end of the same password. It may pass the system checks, but it won't take long for a hacker to determine the password.
Several private companies and government agencies publish a list of the most hacked passwords every year. Unfortunately, the top hacked passwords have remained consistent for the last six years. These include:
- 123456
- 123456789
- 111111
- password
- qwerty
Despite password policies, people still use weak passwords, creating opportunities for bad actors to compromise a system.
Verizon's 2021 Data Breach Investigation Report found that 61% of breaches involved credentials. If companies could ensure that only strong passwords were used, they could eliminate the majority of system compromises. Password auditors can help. They are security tools that can minimize the use of weak passwords for a more secure network.
What is a Password Auditor?
Password auditors are specialized software that scans a network looking for password-related vulnerabilities. Using tools similar to those used by hackers, these programs try to compromise passwords to gain access to a system. The software simulates possible attacks such as the following:
- Brute Force Attack. Hackers run a program that tries different combinations to determine a possible password.
- Dictionary Attack. This kind of attack relies on software that uses a dictionary, plus common passwords and phrases.
- Hybrid Attack. Hackers use brute force techniques with dictionary tools looking for possible matches.
- Reverse Brute Force Attack. These attacks use common passwords to run against accounts looking for a match.
Once cybercriminals have working credentials, they try those same usernames and passwords on other systems since many people use the same password for multiple log ins. To counter these attacks, a password auditor performs a vulnerability scan to identify weaknesses such as the following:
Weak Passwords
Passwords that are too short, simple, or common are weak. With today's processing power, cybercriminals can check millions of accounts in a matter of minutes. These brute force tools are often purchased as a service, meaning hackers can rent the tool rather than create it from the ground up. As a result, bad actors can launch an attack in seconds.
Pwned Passwords
Stolen usernames and passwords are often leaked online. The stolen passwords are considered "pwned." Because the credentials are available online, hackers can integrate the leaked passwords into their credential hunting tools. They use the updates tools to break into other networks. Since people may reuse passwords, any pwned passwords should be removed from the network.
Shared Passwords
Every user should have their own credential when accessing an account. In the past, users may have shared credentials to reduce per-seat costs; however, the practice increases the chances that a password will be compromised. The added cost for adding users is minimal compared to the cost of a data breach.
How to Remove Password Vulnerabilities
Strong password policies are the beginning of good security hygiene. However, the policies must be enforced. One of the best ways to do that is with a password auditor. This specialized software performs vulnerability scans to identify weak, pwned, or shared passwords. They can evaluate password usage and simulate attempts to compromise credentials.
Hackers can crack an eight-character password with numbers, upper and lower case letters, and special characters in eight hours. Lowering the password length to six with the same mix of letters, numbers, and symbols reduces the time to compromise to five minutes. The less complex the password the faster the compromise. For example, a ten-digit password of numbers only can be hacked in seconds.
Given that over 50% of all security incidents start with compromised credentials, deploying a password auditor can significantly reduce the chance of compromise. They can identify weaknesses for immediate correction and help ensure that password policies are followed.
Havoc Shield offers an all-in-one security platform to help secure your digital assets without adding to IT's workload. Designed for highly regulated industries such as financial services, our solution ensures compliance with regulatory requirements.
See for yourself how a password manager, along with a dozen other cybersecurity tools, can make your company safer.