Your IT Consultant
Information Technology Blog
by John W. Simek, Vice President of Sensei Enterprises, Inc.
Five Techniques Cybercriminals Use to Crack Passwords
May 11, 2023
Despite efforts to get us to a passwordless world (we’re not there yet), passwords will be a requirement for many systems for several years. To help provide more secure environments, users need to understand how cybercriminals try to access the victim’s accounts. In other words, know thy enemy. To help you understand how passwords are attacked, Bleeping Computer has a post discussing five techniques used to crack passwords. Those techniques include:
- Brute Forcing
- Dictionary Attack
- Credential Stuffing
- Weak (Insecure) Password Hashes
- Password Cracking Tools
Be sure to look at the chart in the Brute Forcing section. The message is clear…length and complexity is more secure. Users can do several things to improve their password hygiene. It’s a good idea to review what you can do and follow the recommendations from NIST. We can’t control how a service stores our credentials, but there is plenty we can control.
- Ditch the regular password change requirements. Only change passwords if requested explicitly by a user or if a password has been breached.
- Decrease the arbitrary need for password complexity and focus on overall password length, such as a minimum of 12 characters.
- All new passwords must be compared against commonly used or previously compromised passwords.
- Do not reuse passwords across different services to avoid attacks such as credential stuffing.
- Increased hash security means that even shorter passwords take far longer to crack, such as MD5 vs. PBKDF2.