Despite the growing awareness of cyber threats targeting businesses and individuals, research shows that a startling amount of Australians continue to use predictable and poorly maintained password practices for their online accounts.
In 2021, more than 85 million passwords were leaked in Australia, an average of 3.312 per capita. Research from global cyber security firm, Imperva, found that in the last 12 months, 70% of account takeovers in Australia were due to brute force attacks on vulnerable passwords.
Find out if your password would survive a brute force attack below.
What is a brute force attack?
A brute-force attack is an attempt to discover a password by systematically trying every possible combination of letters, numbers, and symbols until the correct combination is found. These attacks are called ‘brute force’ because of the excessive attempts and combinations used to try and ‘force’ their way into your private account.
Cyber criminals launch brute-force attacks using widely available tools and programs that utilise artificial intelligence, wordlists and smart rulesets to automatically run combinations in order to guess user passwords.
Once a password has been successfully guessed, cyber criminals can steal sensitive data, spread harmful malware such as ransomware and hijack your systems in a matter of moments.
How long would it take a hacker to brute force attack your password?
Created by cyber security firm, Hive Systems, the below table demonstrates the amount of time passwords of a specific length and character set would take to crack using a brute force attack.
Source: Hive Systems
You can find out more about the methodology behind Hive Systems password table here.
Australia's Top 10 most popular passwords
- 123456
- password
- lizottes
- password1
- 123456789
- 12345
- abc123
- qwerty
- 12345678
- Holden
Recommendations from the Australian Cyber Security Centre
To mitigate cyber security incidents caused by password breaches, the Australian Cyber Security Centre (ACSC) advises the following:
- Require all users to periodically reset passwords to reduce the ongoing risk of credential compromises.
- Consider increasing password length and complexity requirements to mitigate the risk of brute-force attacks being successful.
- Implement a lockout for multiple failed login attempts.
- If credentials have been compromised, reset passwords as soon as possible.
- Discourage users from reusing the same password across critical services such as banking and social media sites, or sharing passwords for a critical service with a non-critical service.
- Recommend the use of passphrases that are not based on simple dictionary words or a combination of personal information: this reduces the risk of password guessing and simple brute-forcing.
- Advise users to ensure new passwords do not follow a recognisable pattern: this reduces the risk of intelligent brute-forcing based on previously stolen credentials.
Implement multifactor authentication (MFA) on all systems
Multi-Factor Authentication (MFA) is highly effective at mitigating brute force attacks due to the additional complexity applied to the authentication process. MFA is the use of more than just the one form of authentication when using your username and password to log into a system. This ensures that the user logging in is who they state they are, and protects your data if your credentials are compromised.
Using MFA means that if a staff member has had their login credentials compromised by brute force attack, an intruder still won’t have access without the secondary (or tertiary) authentication method.
How can Diamond IT help?
If you want to educate your employees on how to create and maintain secure passwords, our staff education programs and policy and procedure reviews can help. Our Business Technology Consultants are specialists in improving your internal cyber security.
- Cyber Security Awareness training
- Cyber and Data Breach consulting and forensic analysis
- Disaster Recovery (DR) planning
If you need advice on how you can ensure your cyber security strategy is fit for purpose, our team of cyber security experts are ready to help. Contact our team on 1300 307 907 today.
