Skip to main content

Many businesses don't do enough to shield against brute force attacks

password
(Image credit: Image source: Shutterstock/Ai825)

An analysis of millions of breached passwords has shown a clear trend: businesses aren’t doing enough to protect their customers from brute force attacks.

When conducting a brute force attack, the attacker will try an infinite number of username and password combinations until one such combination succeeds. The attacker usually starts with a database of previously breached usernames and passwords.

Cybersecurity researchers from Specops recently analyzed a database of 200 million passwords found in the RockYou2021 collection, which been circulating the dark web.

The conclusion is that there are still too many businesses and services allowing their users and customers to create weak passwords. A weak password is one that has a well-known base word (such as “password” or “123456”, or something similar), and doesn’t have a combination of letters, numbers and symbols.

“One should strive, when generating a password policy, to prevent passwords and passphrases consisting of only numbers, or only letters, encouraging sufficient entropy via other characters and randomness,” Specops writes in a blog post. 

“A similar pattern is seen with the reliance on ‘qwerty’ as a base-word in the dataset; weak passwords trend towards 'keyboard-walking' patterns, since many users find them easy to remember, increasing their frequency in leaks and similar datasets.”

Experts warn against using the same password across multiple services, as that makes brute force attacks that much easier. Businesses should also strive towards mandating multi-factor authentication whenever possible.

Sead Fadilpašić is a freelance tech writer and journalist with more than 17 years experience writing technology-focussed news, blogs, whitepapers, reviews, and ebooks. And his work has featured in online media outlets from all over the world, including Al Jazeera Balkans (where he was a Multimedia Journalist), Crypto News, TechRadar Pro, and IT Pro Portal, where he has written news and features for over five years. Sead's experience also includes writing for inbound marketing, where he creates technology-based content for clients from London to Singapore. Sead is a HubSpot-certified content creator.