Weak, easily guessed or reused passwords are the cause of the majority of data breaches worldwide. Previous data breaches, hacker forums and the simple guessing of weak passwords in a “password spray” attack are just some of the ways passwords can be exploited by a bad actor.

Once a valid password is found, those bad actors will conduct a credential stuffing attack across multiple resources, attempting to log in to hundreds of different sites with the same credentials, knowing that many users will reuse passwords.

Even if breached passwords are hashed (i.e., encrypted), this is little protection, as hardware specifically dedicated to cracking passwords is becoming more powerful, efficient and cheaper every year. Wipfli’s own in-house hardware used in penetration testing is capable of many billions of guesses per second.

Yet passwords are still the basic authentication mechanism for the vast majority of organizations. Passwords can be secure if steps to prevent the use of weak passwords are implemented.

Next steps

Encourage the use of passphrases rather than passwords: Passphrases are comprised of several memorable words in random order, perhaps combined with a few character replacements. This produces a string that is much harder to guess or crack than those based on a single word with modifications or additions.

Implement password filtering: You should implement password filtering regardless of whether you use a password or a passphrase, but note that it’s especially important if passwords are the de facto standard. Password filters prevent users from setting a password that contains easily guessed strings such as months, seasons, years, sports teams, etc., which is the primary way that bad actors guess user passwords.

Increase your minimum password length: If passphrases are adopted as a standard, the minimum password length can be extended to 16, 20, 24 or even 30 characters without undue burden on users. Conversely, increasing the minimum password length may have the alternate effect of encouraging passphrases use over passwords.

Use multi-factor authentication (MFA): Regardless of the strength of a user’s password, there is always the possibility it will be compromised in some manner. MFA provides a second, distinct verification of the user’s identity.