Skip to main content

Many businesses don't do enough to shield against brute force attacks

password
(Image credit: Image source: Shutterstock/Ai825)

An analysis of millions of breached passwords has shown a clear trend: businesses aren’t doing enough to protect their customers from brute force attacks.

When conducting a brute force attack, the attacker will try an infinite number of username and password combinations until one such combination succeeds. The attacker usually starts with a database of previously breached usernames and passwords.

Cybersecurity researchers from Specops recently analyzed a database of 200 million passwords found in the RockYou2021 collection, which been circulating the dark web.

The conclusion is that there are still too many businesses and services allowing their users and customers to create weak passwords. A weak password is one that has a well-known base word (such as “password” or “123456”, or something similar), and doesn’t have a combination of letters, numbers and symbols.

“One should strive, when generating a password policy, to prevent passwords and passphrases consisting of only numbers, or only letters, encouraging sufficient entropy via other characters and randomness,” Specops writes in a blog post. 

“A similar pattern is seen with the reliance on ‘qwerty’ as a base-word in the dataset; weak passwords trend towards 'keyboard-walking' patterns, since many users find them easy to remember, increasing their frequency in leaks and similar datasets.”

Experts warn against using the same password across multiple services, as that makes brute force attacks that much easier. Businesses should also strive towards mandating multi-factor authentication whenever possible.