Introduction
Passwords are part of our daily lives. We use them everywhere, to access our emails, our social networks, our bank accounts and so on.
Yet they remain one of the most exploited vulnerabilities by attackers. In 2023, over 80% of data breaches were linked to compromised passwords. And a compromised password can be costly. Data theft, financial losses, damage to reputation – the consequences are numerous.
In this article, we’ll take a look at the best practices for securing your passwords. We’ll also cover common vulnerabilities and attacks, as well as techniques for compromising password security.
Comprehensive Guide to Password Security
- Why is Password Security Crucial?
- Exploring Passwords Common vulnerabilities and Attacks, as well as Best Security Practices
- Other Measures to Protect Passwords
- Conclusion
Why is Password Security Crucial?
Password security is a key issue. Every day, billions of people use passwords to access their online accounts or manage sensitive resources.
Yet passwords, which are essential for protecting our data, are also one of the favourite targets of attackers.
Compromised passwords are responsible for the majority of data breaches. By exploiting simple vulnerabilities, such as passwords that are too short or passwords that are reused on several platforms, attackers often manage to access critical information without resorting to complex techniques.
This phenomenon is amplified by the proliferation of accounts. By accumulating logins, users fall into risky habits: memorising a single password for several services or choosing terms that are easy to remember but vulnerable to automated attacks.
For businesses, poor password management can have disastrous consequences. A poorly protected password can allow an attacker to access sensitive databases, embezzle funds or compromise entire systems. The consequences are not limited to financial losses. They also include legal penalties, such as those imposed by regulations such as the GDPR, and reputational damage.
Furthermore, attackers are constantly innovating. Dictionary attacks, brute force or phishing, the methods for stealing or guessing passwords are multiplying.
Understanding why passwords are vulnerable and learning how to make them more secure is an essential step in protecting yourself. This means not only knowing the most common vulnerabilities, but also putting in place appropriate strategies to strengthen this essential barrier between our data and attackers.
Exploring Passwords Common vulnerabilities and Attacks, as well as Best Security Practices
Passwords are at the heart of information systems. When they are badly chosen, badly stored or badly protected, they become an easy target for attackers.
Attackers use a variety of attack techniques.
Using weak passwords and brute force attacks
One of the most common vulnerabilities in password security is the use of weak passwords.
Weak passwords are generally both easy to remember and easy for attackers to compromise.
Weak passwords often include strings of numbers, common words, obvious personal information or predictable combinations of letters and numbers.
For example, a simple password such as ‘123456’ or ‘password’ can be compromised in seconds by a brute force attack.
What is a brute force attack?
Brute force attacks consist of testing all possible combinations of a password until the correct one is found.
This method relies on the ability of modern computers to perform massive calculations very quickly. The simpler or shorter the password, the more effective this method.
To launch a brute force attack, hackers use software such as Hydra, John the Ripper or Hashcat.
These tools can try millions of combinations per second, particularly when the password is poorly protected or stored using obsolete hash algorithms such as MD5 or SHA1.
Imagine a 6-character password made up entirely of lower-case letters. There are roughly 308 million possible combinations.
With a standard computer, it would only take a few hours to find the correct combination. If this password is extended to 20 characters, the number of combinations increases exponentially, making a brute force attack difficult or even impossible.
How to protect yourself?
Choose robust passwords
To counter a brute force attack, it is crucial to put in place an effective password policy.
The key criterion is password length. The longer the password, the more difficult it will be to guess during such an attack.
Unfortunately, this criterion is often ignored. Companies still impose ineffective and sometimes dangerous rules, such as those requiring passwords to be at least 8 characters long with a capital letter, a number and a special character. These guidelines give a false sense of security.
Take the example of the password: P@ssword2024!. According to conventional rules, it is considered secure. However, it is easily broken by brute force.
On the other hand, a password (passphrase) such as ‘mypasswordissecureandimpossibletoguess’, although it has no capital letters, numbers or special characters, is much more robust thanks to its length.
To guarantee security, use passwords of at least 15 to 20 characters, regardless of the type of characters used. However, avoid obvious sequences such as ‘12345678910111213″.
Length is the key to a strong, secure password.
Ban password expiration policies
Password expiration policies aim to encourage regular changes to limit the risk of leaks.
In theory, this sounds like a good security measure.
However, in practice, these policies often encourage users to behave badly. They create passwords that are simple and easy to guess, just to quickly comply with the rule. For example, they barely change their old password by adding a number or a character, which makes their security even more fragile.
For this reason, it is preferable to abandon these systematic expiration policies. A better approach is to encourage users to create long, complex passwords from the outset. This ensures more lasting security and reduces the risks associated with counter-productive habits.
Implement Rate Limiting
Rate limiting is an effective way of protecting passwords and countering brute force attacks. This method consists of limiting the number of connection attempts that a user or IP address can make in a given period of time.
Reducing the number of attempts makes it much harder for attackers to guess passwords by testing multiple combinations.
For example, if an attacker tries to force access to an account, a Rate Limiting system can block his attempts after five unsuccessful attempts in one minute. This temporary blocking slows down the attack and reduces its effectiveness.
A classic implementation consists of setting thresholds for attempts, with increasing delays between each new attempt after failure. For example, after five failed attempts, access is blocked for 30 seconds, then one minute, and so on. This protects accounts while avoiding penalising legitimate users who make input errors.
Set up multi-factor authentication
Multi-factor authentication is an essential method of securing user accounts. It adds an extra layer of protection by requiring a second proof of identity after the password has been entered.
Even if an attacker manages to obtain a password, it will be very difficult to access the account without the second factor.
Multi-factor authentication is based on the use of two distinct elements: something the user knows (password), possesses (smartphone, USB security key) or is (fingerprint, facial recognition). For example, after entering their password, users may have to enter a code received by SMS or generated by an application such as Google Authenticator.
This system is particularly effective against traditional attacks, such as phishing or credential stuffing, where only passwords are targeted. Even if the password is compromised, access remains blocked without the second factor.
Reusing passwords, credential stuffing and password spraying attacks
Reusing passwords is one of the riskiest practices in cybersecurity. Yet it remains commonplace.
With so many online accounts, many users prefer to memorise a single password that they reuse on several platforms.
This habit creates a major vulnerability, exploited by specific attacks such as credential stuffing and password spraying.
What is Credential Stuffing?
Credential stuffing is a method of attack in which attackers use combinations of usernames and passwords stolen in previous data leaks to try to log into other online accounts.
This technique is based on an alarming fact: many users reuse the same identifiers on several services.
The attacker automates these attempts using specialised tools capable of testing thousands of combinations in a very short space of time. For example, if a user has used the same password for their e-mail account and for a streaming service, and this password has been exposed in a leak, the attacker can potentially access both accounts.
Understanding Password Spraying
Password Spraying is an attack technique in which an attacker attempts to log into numerous accounts using a handful of common or weak passwords.
Unlike Credential Stuffing, which exploits specific passwords stolen in data leaks, Password Spraying relies on the use of generic passwords to target a large number of users.
Attackers test common passwords such as “123456”, “password” or “welcome2024” on thousands of accounts. This method is based on a simple rule: try passwords one by one on several accounts instead of trying numerous combinations on a single account.
This allows the attacker to avoid the automatic blocking often triggered by repeated unsuccessful attempts on the same account.
Measures to prevent Credential Stuffing and Password Spraying
Create unique passwords for each account
Reusing the same password on several platforms is a major mistake, because a single leak can compromise several accounts. The solution is simple: use unique, strong passwords for each service.
However, remembering many complex passwords can become a headache. Password managers offer a practical and secure solution. These tools automatically generate, store and fill in strong passwords, simplifying their management and avoiding the temptation to reuse weak or identical passwords.
Monitor data leaks
Data leaks feed directly into Credential Stuffing attacks. Millions of username and password combinations are circulating on forums or being sold on the dark web.
Proactive monitoring of these leaks is a crucial strategy for protection.
Have I Been Pwned is a popular platform for checking whether your email addresses or login details have been exposed in a leak. By entering an email address, the tool analyses known databases and informs you if any information associated with that address has been compromised.
Storing passwords in plain text
What is meant by storing passwords in clear text?
Cleartext storage means storing users’ passwords in a database or file without any form of encryption or protection.
This means that anyone accessing this database can read the passwords in their original format, as entered by the users.
So an attacker, via the successful exploitation of an SQL injection for example, can access the database and extract the passwords in clear text. This enables them to use this information directly to connect to accounts or exploit it in attacks such as Credential Stuffing.
The problem doesn’t stop there. If the database is compromised, the exposed passwords become accessible to anyone, sometimes even published on the Internet. This situation exacerbates the risks, not only for the users of the initial service, but also for all the other accounts where the passwords have been reused.
What’s more, storing passwords in the clear prevents any secure verification. For example, a malicious administrator or an employee with access privileges could read users’ passwords.
How to securely store passwords?
Securing password storage is essential to prevent massive compromise. The aim is to make passwords unreadable and unusable, even in the event of a leak or unauthorised access to the database.
To do this, they need to be transformed into an unreadable form using hash algorithms. These algorithms, such as Argon2, bcrypt or PBKDF2, generate a unique hash of the password.
Unlike encryption, hashing is unidirectional: it is not possible to retrieve the original password from the hash.
And to strengthen security, a salt must be added to each password. The salt is a random string of characters added before or after the password before the hash. It prevents the use of pre-calculated correspondence tables, such as rainbow tables, which allow passwords to be retrieved from their fingerprints.
For example, instead of simply hashing ‘mypasswordissecureandimpossibletoguess’, the system generates a random salt, such as ‘Z7x!d#’, and hashes the combination ‘Z7x!d#mypasswordissecureandimpossibletoguess’. Even if another user chooses the same password, the hash generated will be different thanks to the salt.
The use of the Argon2 algorithm is now recommended. It is designed to be resistant to brute force attacks by making each calculation attempt costly in terms of time and resources.
Finally, it is important to protect the database itself. Access must be restricted to authorised users and departments only. Communications between systems must be encrypted, and access logs regularly audited. Proactive monitoring enables any attempt at unauthorised access to be detected quickly.
Resetting passwords: a frequently exploited feature
Resetting passwords is an essential feature for enabling users to regain access to their accounts.
However, it is also a frequent target for attackers. Common risks include exploitation of insecure reset links. For example, if these links contain parameters that can be manipulated by a malicious user, they can be used to redirect victims to fraudulent sites.
In addition, tokens that are generated in a predictable way or do not expire quickly considerably increase the risk of exploitation.
To limit these threats, it is crucial to use tokens that are unique, random and have a limited validity period. The parameters used to construct the reset URLs must be strictly controlled on the server side to prevent any hijacking.
It is also advisable to remove all traces of secrets or tokens from server log files. One solution is to encapsulate this information in a part of the URL that is not transmitted to the server, for example after a pound sign (#), requiring client-side logic to process it.
For more information, see our dedicated article: Exploring Password Reset Vulnerabilities and Security Best Practices.
Other Measures to Protect Passwords
Protecting passwords is about more than just their complexity or technical management. It is crucial to adopt a global approach, reinforcing both systems and human behaviour.
Two complementary measures are essential: applying the principle of least privilege and raising user awareness.
Apply the principle of least privilege
The principle of least privilege consists of limiting the access rights of users and systems to the resources strictly necessary to accomplish their tasks. In other words, each user or department should only have access to data or functions that are essential to their needs.
For example, an employee with administrative responsibilities does not need access to encrypted passwords stored in the database. Similarly, external applications or services connected to your systems must have minimal authorisation to prevent a breach from compromising the entire network. This reduces the potential impact if an account or service is compromised.
Implementation can include rigorous controls on roles and authorisations in IT systems, as well as regular audits to identify and correct over-privileges. Combined with increased monitoring of suspicious activity, this strategy limits the opportunities for attackers.
Raise user awareness
Technologies are not enough if users do not adopt the right behaviours. Awareness is a cornerstone of password security. Many security incidents are the result of human error, such as sharing passwords, storing them in unsecured locations or repeatedly using weak passwords.
Awareness programmes must clearly explain the dangers of risky practices and the importance of unique, long and strong passwords. It is also essential to promote the use of password managers to minimise errors.
Regular training campaigns, backed up by concrete examples of attacks (such as credential stuffing), help to reinforce knowledge. For example, a simulated phishing attack can demonstrate the importance of not divulging your credentials.
Conclusion
Password security is a shared responsibility between users and organisations.
Common vulnerabilities, such as weak, reused or incorrectly stored passwords, provide an easy entry point for attackers. Attacks such as credential stuffing and password spraying exploit these vulnerabilities with formidable effectiveness.
In the face of these threats, technical measures such as secure encryption, rate limiting and multi-factor authentication play a key role.
However, technical solutions alone are not enough. Applying the principle of least privilege reduces the risks of exploitation of internal accounts, while user awareness remains essential to limit human error. Training and supporting users in adopting good practice, such as creating unique and strong passwords with dedicated managers, completes this approach.
By integrating these strategies into a global approach, it is possible to considerably reduce the risks associated with passwords. Security is more than just a constraint, it becomes a real lever for resilience in the face of cyber-attacks.
Author: Amin TRAORÉ – CMO @Vaadata