Protecting Yourself from a Password Cracker

Protecting yourself and your organization from password crackers may appear to be an impossible mission, but it is much easier than you might imagine. You just need to have the right solution in place.

There are dozens of password cracking applications available on darknet marketplaces, each with their own specific features, but they all work in a similar fashion and allow attackers to automate the process of password cracking and make password guessing an effortless process. These password cracking tools will:

  1. Use lists of commonly used passwords and dictionary words.
  2. Enter all possible combinations of credentials in automated brute force attacks.

When you set out to bolster your cybersecurity defenses by blocking password crackers you need to understand what the cybercriminals are trying to achieve. They are not simply trying to gain access to your online accounts. What they are really seeking is a list of the passwords your organization is using together with the programs and services they are being used on.

Many companies create files containing lists of passwords which can be accessed from the root level of most server operating systems , although they are often saved by specific programs. There may be some protections in place to prevent these files from being accessed, such as encryption; however, even an encrypted list of passwords can be cracked by hackers relatively easily.

When a password list is stolen, the hackers can take their time cracking the encryption and then using those passwords in subsequent attacks. The username/password combos are often sold to other threat groups.

There are two main methods used for password cracking:

  1. Brute force cracks: This is where multi-core processors and graphics processing units are used to brute force passwords. They conduct huge numbers of tests per second of possible username and password combos. Some brute force cracking software also uses rainbow tables. These are directories of known codes that can sometimes be helpful in reverse-engineering encrypted text.
  2. Dictionary crack: This involves using prospect lists of known passwords, pattern checking, and word list substitution to compile lists of commonly used passwords. Using this tactic, a hacker could gain access to up to 20% of a password file using only the 10,000 most frequently used passwords.

Both of these attacks are reliant on one of the most common security failures of organizations: The absence of strong passwords for databases and accounts. Even though it is widely-recognized that long, complex passwords are difficult to crack, weak passwords are often not set. A 13-digit password that includes a range of alphanumeric characters and special characters is now considered to be a minimum requirement to protect against password crackers.

The reason that a lot of workers set weak passwords is because it is difficult to remember, long strings of ransom characters, especially since each account needs a different, unique and strong password. The easiest solution is a password manager. Password managers can be configured to automatically generate strong, unique passwords based on the complexity requirements set by an administrator. Users will not have to set their own passwords or remember them, as the password manager will do this for them. All that is required is for a strong master password to be created, which can be a long passphrase unique to a person and easy for them to remember, but impossible to guess even if a password cracker is used. If two-factor authentication is also configured on the password manager, organizations will be well protected against password crackers and their accounts and networks will stay secure.

Author: Maria Perez