Passwords and You - Ensuring your password doesn't compromise your websites security
Passwords are a facet of modern society that we're unlikely to see the back of any time soon. From our phones to our online banking, everything that we value in the digital world is protected by a password of your choice. That choice is a difficult one to make, and making the wrong choice can have disastrous consequences for you and your business.It's been reported that 2014 was the year of Secure Shell Brute Force, overtaking the malicious code method that prevailed for the two years prior (Source), and at the start of 2015 our forensics team have noticed a further increase in these types of attacks against online authentication pages. Whilst Brute Force attacks are easy to detect with the right software, by the time you've detected it the intruder has already accessed your system and perpetrated the attack. For this reason, it is essential to be pro-active about ensuring your passwords are secure and fit-for-purpose.
What is a Brute Force Attack?Attackers will attempt to gain access to accounts by trying to log in using a list of thousands of different potential passwords, known as a wordlist. The wordlists used by attackers will contain a wide range of different potential passwords - built up from dictionaries, name lists, or previously leaked passwords - and if the password to the account happens to be in the wordlist, the attacker will have full control over that account. The attacks that we have seen so far have concentrated on trying to gain access to the administrator account of a websites backend system, allowing the attacker full control over a website and, in the worst cases, allowing them to extract payment card data from the database. Choosing the wrong password can be a costly mistake.
What you can do to avoid it
Advice on choosing a secure password varies, but it's generally accepted that a secure password is unique, long, and contains as many different types of characters as possible (uppercase, lowercase, punctuation etc). A password of "wci9Q*5at+kb" is far more secure than your pets name or your date of birth, but is an order of magnitude more difficult to remember. According to research, one person has an average of 17 private passwords and 8.5 work related passwords to remember (NorSIS Password Survey 2012), and it's going to be near impossible for the average person to commit 25.5 unique, long, gibberish passwords to memory. This means that the user has to make a sacrifice - either sacrifice the ability to actually remember your password, or sacrifice the entire security of your website because of a poor password choice.
Thankfully, there are solutions out there that mean that you don't have to make that sacrifice anymore. Password managers come in many different shapes and sizes, but all have one single goal - to securely store your passwords so that you don't have to worry about remembering every single one of them. This means you can secure your website with strong, difficult to guess and unique passwords without sacrificing the conveniance of logging in easily. Most password managers also come with a password generation facility, which will make generating a secure, random password as easy as clicking a button. The only caveat is that you must make sure your master password - the single password that allows you access to your password manager - is secure itself, but it's far easier to remember one secure password rather than 25.
There are a number of solutions on the market, some of which include the ability to sync databases across devices such as LastPass or 1Password, or some that rely on you being able to access the same file wherever you are, such as KeePass. Whichever password manager you choose, using secure passwords will greatly reduce the risk of unauthorised access to your site and the potential of payment card data breach as a result.
As the Cyber Security threatscape changes, Brute Force attacks are just one of many weapons that hackers have in their arsenal to launch potentially costly and malicious attacks against your website, and many companies are turning to cloud-based WAF solutions such as FGX-Web to monitor and protect their websites. Learn more about how to defend your online business here.