Blog | G5 Cyber Security

Stop Password Guessing Attacks

G5 Cyber Security

TL;DR

Automated attacks try many common passwords to get into your accounts. This guide shows you how to protect yourself using strong, unique passwords and extra security measures like multi-factor authentication.

What are Password Guessing Attacks?

Hackers use software (bots) to automatically try millions of username/password combinations against websites and services. They focus on common usernames and easily guessed passwords. These attacks aren’t sophisticated, but they work because many people reuse weak passwords.

How to Protect Yourself

  1. Use Strong Passwords: This is the most important step.
    • Length: Aim for at least 12 characters. Longer is better!
    • Complexity: Mix uppercase and lowercase letters, numbers, and symbols (e.g., !@#$%^&*).
    • Avoid Personal Info: Don’t use birthdays, pet names, or anything easily found online.
    • Example of a good password: P@sswOrd123!
  2. Unique Passwords for Each Account: Never reuse the same password on multiple websites.
    • If one site is hacked, all your accounts using that password are at risk.
  3. Use a Password Manager: This makes creating and remembering strong passwords much easier.
    • Password managers generate secure passwords and store them safely (encrypted).
    • Popular options include LastPass, 1Password, Bitwarden, and KeePass.
  4. Enable Multi-Factor Authentication (MFA): This adds an extra layer of security.
    • Even if a hacker gets your password, they’ll also need a code from your phone or another device.
    • How to enable MFA: Most websites offer this in their security settings. Look for options like “Two-Factor Authentication” or “Verification Code”. Common methods include:
      • Authenticator apps (Google Authenticator, Authy)
      • SMS codes (less secure, but better than nothing)
      • Security keys (YubiKey, Google Titan Key – most secure)
  5. Be Wary of Phishing Emails: Hackers often try to steal passwords by sending fake emails that look legitimate.
    • Check the sender’s address carefully. Is it a real email from the company?
    • Don’t click on links in suspicious emails. Go directly to the website instead.
    • Never enter your password on a website linked from an email.
  6. Regularly Check for Data Breaches: Websites you use may be hacked, exposing your username and password.
    • Use a service like Have I Been Pwned? to check if your email address has been involved in any data breaches.
    • If your account is compromised, change your password immediately!

Technical Considerations (for website owners)

  1. Rate Limiting: Limit the number of login attempts from a single IP address within a certain timeframe. 
    # Example using fail2ban on Linux:
[sshd]
enabled = true
port = ssh
logpath = /var/log/auth.log
maxretry = 3
findtime = 600
bantime = 3600
  2. Account Lockout: Temporarily lock accounts after a certain number of failed login attempts.
  3. CAPTCHA: Use CAPTCHAs to prevent automated bots from submitting login forms.
  4. Password Complexity Enforcement: Require users to create strong passwords that meet specific criteria.
Exit mobile version