What are brute force attacks?: Brute force attacks use trial and error to crack passwords, login credentials, and encryption keys. They’ve been around since the beginning of the computer age, yet are still effective. Why? In part because people still use easily guessable passwords like ‘1234’, or their company’s name, or default passwords left on hardware and software by vendors .Threat actors have been compiling lists of the most commonly used passwords (famous athletes’ names, famous actors’ names, famous rock band names “¦), based on years of data breaches, that they sell or share for use in what are called credential-stuffing attacks. A dictionary attack uses a list of words from a dictionary. Hybrid brute force attacks combine a dictionary with lists of stolen passwords.Modern computing technology also helps threat actors, Meghu pointed out. With today’s low-cost cloud computing resources, any crook can spin up a temporary virtual machine to work at trying every combination against a file. And Picus Security recently reported that even hashed passwords can be easily cracked.
Defenses: Mandating that employees and customers use long passwords of at least 16 letters and numbers is one defense. Even better, said the US National Institute for Standards and Technology (NIST), is encouraging employees to use a passphrase they can remember rather than a jumble of letters.To discourage users from creating easily-guessable passwords, CSOs should require that employees use a password manager to store their credentials.Finally, experts advise that the best defense against brute force attacks is phishing-resistant multi-factor authentication, including, for administrators, the use of physical USB keys or biometrics as an extra login step.”Making brute force irrelevant by using public/private keys, protect those keys!!, or some sort of two-factor authentication is not enough,” said Meghu. “Extra protection should be the norm.”You generally can’t trust something that is just protected by password,” he said. “Assume at some point compute power will reach a point that it is crackable. To extend that time, use as long a password as you can, 18 characters at a minimum for sensitive data.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4059008/warning-brute-force-attacks-hitting-sonicwall-firewall-configuration-backups.html
