Employ Better Password Habits
The best way to protect against brute force attacks that try to guess passwords is to make passwords as hard as possible to crack. End users can help protect their own data and the data of their organization by using stronger passwords and following strict best practices for passwords. This will make it harder and take more time for attackers to figure out their passwords, which could cause them to give up.
Here’s a checklist of best practices for stronger password security to avoid brute force attacks:
- Make strong passwords a high character count: A good rule of thumb is that passwords should have more than 10 characters and include numbers, symbols, and both capital and small letters. This makes it much harder and takes much longer to crack a password, from a few hours to a few years if a hacker doesn't have a supercomputer.
- Use elaborate passphrases: Even though it's a good idea to use more characters in a password, some websites may have limits on how long a password can be. Because of this, you should use complicated passphrases to stop simple dictionary attacks from working. Passphrases are made up of more than one word or phrase and have special characters that make them harder to guess.
- Make rules for making passwords: Another good way to make a password is to cut words off so that they don't make sense to anyone else. This can be done by getting rid of the vowels or just using the first two letters of each word. Then, a string of shortened words can be put together to make a phrase that makes sense. For example, "hope" would become "hp" and "blue" would become "bl."
- Don't use simple passwords: Passwords that are used often, like a name, a sports team, or just "password," are very risky. Hackers know the common words or phrases that people use in their passwords and use hacking techniques based on these common words to get into people's accounts.
- Use different passwords for each account you have: Hackers use "credential stuffing" to test passwords used on websites to see if they are used elsewhere. People often use the same passwords for their email accounts, social media profiles, and news websites, which makes this plan very successful. Don't use the same password for more than one website or account.
- Use password managers: A password manager makes it easier for people to make safe, unique passwords for each website they sign in to. It creates and keeps track of logins for multiple websites automatically, so users can access all of their accounts by just logging in to the password manager. With a password manager, users can make long, complicated passwords and store them safely so they don't forget them, lose them, or have them stolen.
Protect User Passwords
It doesn't matter if users follow best practices for strong passwords if their company can't protect their data from brute force attacks. It is also up to the organization to protect its users and improve network security. Here’s a checklist of best practices organizations can follow to strengthen user password protection:
- Use high encryption rates: By encrypting system passwords with the highest encryption rate available, such as 256 bits, the chances of a brute-force attack working are reduced and passwords become harder to crack.
- Salt the hash: Salting the hash is a method used in cryptography that lets system administrators make their password hashes stronger. Adding salt—random letters and numbers kept in a separate database— helps make a password to make it stronger and safer.
- Use MFA. When you add authentication to a user login, you make passwords less important. With MFA, after a user logs in with their password, they will be asked for more proof that they are who they say they are. This could be a code sent to their phone or device or a scan of their fingerprint. This can stop a hacker from getting into a user's account or business system, even if they have the user's login information.
- Limit login attempts: If a user can only try to log in a certain number of times, brute force attacks are less likely to be successful. A potential attacker might be scared off if they can't try to log in again after two or three failed attempts. If an account is locked down completely after many failed login attempts, the hacker can't keep trying different username and password combinations.
- Use CAPTCHA to support logins: By adding a CAPTCHA box to the login process, an attacker won't be able to use a computer to try to get into a user account or business network by force. CAPTCHA options include typing images of text that show up on the screen, checking more than one image box, and naming objects that show up.
- Use a "blacklist" of IP addresses: By putting in place a blacklist of IPs that have been used in attacks, a business network and its users are protected from known attackers. To stop new attacks, it is important to keep this blacklist up to date.
- Get rid of old accounts: Cybercriminals can attack an organization through accounts that aren't used or aren't kept up with. To keep them from being used in a brute force attack, businesses must make sure to regularly delete unused accounts or, better yet, delete accounts as soon as employees leave the company. This is very important for employees who have access to sensitive company information or high-level permissions.
Provide Ongoing Help with Security and Passwords
In addition to educating users and having good IT security, businesses need to make sure that their systems and software are always up to date and give their employees ongoing support.
- Provide password education. It's important for users to know what good security looks like and how to use passwords correctly, as well as how to spot the signs of a cyberattack. They also need training and updates on a regular basis to keep them up to date on the latest threats and remind them of good habits. Corporate password manager tools or vaults also let users save complex passwords and avoid losing them, which could put corporate data at risk.
- Oversee network traffic in real time: Brute force attacks can be found by looking for things like multiple login attempts or logins from new devices or places that don't seem right. Businesses must always keep an eye on their systems and networks for strange or suspicious activity and stop anything that could be harmful right away.