Complicated passwords. We all love them, right? Regardless if we are the CEO, the IT Manager, or just an online user, do any of us actually look forward to coming up with a hard-to-guess but easy-to-remember,12-character password complete with numbers and special characters?! Especially when so many characters, like ^|:;[{, and ^ aren’t valid much of the time. 

Just a guess here, but I bet you or someone you work with has asked why such strict password rules are necessary. Even if you’ve heard all the reasons why, and do your best to comply, compromised passwords continue to be credited with over 80% of company data breaches. 

In this article, I will take you through three of the most common ways threat actors gain access to your data through weak, stolen, and recycled passwords. We will then break down ways for you and your employees to implement good password practices.

Brute Force 

You have likely heard a lot about brute force. It has been the traditional way of breaking into data for years. The threat actor uses a known username and applies a known password. If that happens to be your current password, then BINGO they are in. If not, they will try a variation of that password. For example, Mocha and M0cha. (Hint: Changing the letter O to a zero doesn’t fool the bad guys. Nor does changing the letter i with an exclamation point or simply adding it to the end of a password. I don’t want to disappoint you, but it isn’t clever, and you aren’t the only one doing it.) 

Threat actors will continue trying the same username with different passwords over, and over, and over again until one hits. This is a lot like the famous “Here’s Johnny!” scene that Jack Nicholson performed in The Shining. He didn’t give up until he got through that door. If you aren’t familiar with that scene, imagine a puppy trying to get past a baby gate. It will keep pushing and pushing until it finally gets through. That, in its simplest form, is a brute force attack.

How do you protect against this type of attack? 

Let’s begin your journey to better password hygiene by implementing some basic password best practices. 

I suggest starting with the implementation of the following password policies for your business.  

1. password lockouts
2. age requirements
3. history
4. Multifactor Authentication

A password lockout policy will literally lock the user out of their account for a predetermined amount of time if they have too many failed attempts. For example, making the user wait 60 seconds after too many failed attempts, then one more attempt locks them out for five minutes, etc. This ‘lockout’ prevents someone (or a computer program) from hammering passwords into the system. 

Password age requirements policies require users to change their password on a predetermined set of days. It may be every 30 days, 90 days, or once a year. 

Password history policies keep a log of previously used passwords and prevents users from using them again for a certain length of time. 

Another great prevention method is implementing Multi-Factor Authentication (MFA), this provides another verification method when a password is guessed or entered. 

Password Spraying 

This is almost the total opposite of Brute Force. This type of attack typically happens when a threat actor has access to a large number of usernames or can easily guess what usernames are used. 

Think of your company. Do you use first initial last name? Maybe instead you use first name last initial or even possibly first and last name. My point is, guessing a username is easy. If you know one, you can likely infer the others. The threat actor then takes commonly used passwords like 123456 (yes that is the most common user password), or season with year Winter2025 (again this format is commonly used in organizations) and will try those passwords against all users. If they don’t get a hit, they will try a different commonly used password and run it again. 

This attack can be highly effective because it has the ability to get around security policies set to work against brute force. This would be similar to finding a key in an apartment building. Instead of turning that key in, you decide to start going door-to-door trying the key in every lock until you find the one that works. 

To protect against this type of attack we suggest you implement the following practices: 

1. Creating strongly complex passwords or preferably passphrases (IweNt2tHe$andyBeachL@stYEAR)
2. Rotating passwords every few months
3. MFA
4. Use a password management system

Let’s talk a bit more about password management systems. A password management system is typically a third-party software that securely stores, populates, and creates strong passwords. This takes a lot of work and effort off the end user. Because, let’s face it, end users will use whatever is easiest - which typically leads to “easy-to-guess” passwords or variations of passwords. By providing a system that can automate the password creation and storage process, the end users and their personal preferences are taken out of the equation. 

Credential Stuffing 

This is when a threat actor takes a known good username and password, and tries them (or a combination of them) on different accounts, sites, applications, etc. 

Let’s say you or I get comfortable with a certain password. We then use that password or a variation of it on multiple websites and accounts. This is highly dangerous and a leading cause of identity theft. 

I want you to think of your top one or two places you visit online, like perhaps Amazon and Netflix. Now think about your banking - mortgage, car loans, credit cards, checking, savings accounts, etc. Do you visit those accounts online? If so, are your passwords the same or similar? Are you using your favorite pets, kids, birthdays, holidays, etc., as passwords? If you are – I can’t express strongly enough that you need to change them now! I don’t want you to panic, but these are very easy to guess and break. All those accounts you just thought about are a threat actor’s dream. It is incredibly easy for them to link all those accounts together and destroy your digital and financial state of being with one click of a key.  

The good news, in my opinion, is that this is probably one of the easiest threats to protect yourself against. A password manager and MFA, paired together, would create a strong, unique, and secure way to provide passwords for each user account you have while verifying it’s you. 

Cliff Notes

I threw a lot of information at you in a few short pages. So let me give you the cliff notes version for those of you who skim and just want the gist of this message.  

In its simplest form, the battle against password compromise comes down to these two things. 

1. Implementing good password hygiene practices, and 
2. Having a layered approach to protecting these vital keys to our digital lives. 

I would highly encourage you to, at a minimum, implement a good password manager and set MFA on EVERYTHING. When it comes to finding a quality password manager, keep in mind that you get what you pay for. Free won’t guarantee your data is protected. It’s like handing over the keys to your car to a stranger in a parking lot. You're gambling whether your car will still be there when you return. If you wouldn’t risk your car – don’t risk your data.   

Even if you think this sounds overly dramatic and a little over-the-top, I promise the implementation of these steps is not as painful as it sounds. Taking an extra second or two to verify your identity can not only save your data, it can save you time, energy, and money in the long run. If you want help navigating any of this, I encourage you to reach out to our team at Networks Plus. We would love to help you navigate the world of cybersecurity!