Cybercriminals have a lot of tricks up their sleeves when it comes to gaining access to passwords. The easiest? Buying them off the Dark Web (for a refresher of what the Dark Web is, see our recent post).
There’s big money in buying and selling credentials and password online, especially for hospitals and healthcare.
But even if you’ve taken some good steps to avoid being scammed and have kept your passwords off the Dark Web, criminals are finding ways to crack them. And if that’s the case, they’re bound to be using some of the methods I’m listing below. These attacks can be targeted at your accounts or actually be found through leaked databases of semi-secure passwords.
Method # 1: Brute Force Attacks—in the old days—say Medieval Times—when an enemy wanted into a castle, they’d pound and pound on the door until it broke (if they were lucky). Hackers are essentially doing the same thing when it comes to your network. They’re trying thousands—or even billions—of combinations and associations trying to enter your facility through brute force.
Just to give you some perspective on how quick password hacking is, in the past 6 years, are cracking 8 character passwords containing uppercase, lowercase, numbers and symbols in less than 6 hours. That is, in less than a day, if someone really wanted to hack into your network—and your users kept 8 character passwords, they might actually be able to get in.
On top of merely guessing every combination, hackers speed up their hacks considerably by finding associations passwords might be based off of. They may prioritize certain letters and numbers (at least try these first in combinations—birthdates, important names and locations—before crunching randomly generating character combinations). The moral of brute force passwords? For very important accounts, the longer the password the better. I’d hesitate to say currently, it would take a sophisticated hacker too much time to crack passwords about 15 characters (but this may change as computing technologies improve).
Method # 2: They Read The Dictionary—hackers know that many of us use word-based passwords and prioritize letter associations commonly found in words. Hackers try a variety of combinations of letters, symbols and numbers that may create readable word-based passwords. If your password is a regular word, your password probably will be picked off relatively easily (unless it is quite obscure or if you use combinations of words in your password). Nonetheless, if your password is simply one word—particularly words that can be found in common dictionaries—it is likely to be quickly discovered.
Method # 3: Phishing—maybe the most common way many hospital users see attackers trying to penetrate their network is by phishing. Tricking, intimidating or pressuring your team through social engineering ends up giving the bad guys what they want more often than any of us would like to admit. Once you take the bait, they have you. Phishing is a great way for hackers to penetrate a user’s activities—especially relating to user credentials.
What Makes Up A Strong Password?
Now that we know how passwords are hacked, we can start creating passwords to outsmart them. Here are three basic rules to guide you to make sure your passwords are un-crackable:
Don’t Be Silly—stay away from the obvious. Never use sequential numbers or letters. And for the love of all things security, please don’t use the word “password” in your password. Create a unique password that is not easily associated with your person (your social media, the people, places and things that are important to you). If you are the lucky victim for an attack, a hacker will try every single thing they can find on you in their guess attempts. Staying away from silly will really put a stop to easy access (and might convince some hackers to move on to easier targets).
Is It Brute Force Capable?—keep in mind how attackers are brute-forcing their way onto your networks. Here are some specific considerations:
Can They Figure It Out With A Dictionary—as we already mentioned, stay away from a password with a single word or common phrase. Multiple words may make the cracking process difficult, but unassociated words would make the process ten times harder.
Not sure if your staff are protecting their passwords or keeping their logins too easy for hackers to simply guess? Contact us Today for a free ransomware vulnerability assessment.
