Organizations large and small turn to NIST password guidelines when developing their information security framework—the robust plan outlining the security policies and procedures employees must adhere to. These frameworks play a pivotal role in protecting MSPs and their customers from the increasingly prevalent threat of cybercriminals. The most common—and the most destructive—password-based attacks include:
- Phishing attacks: While phishing attacks can take many forms, they often consist of a cybercriminal simply asking for a user’s login ID and password. This “ask” is typically disguised as a legitimate email request from a well-known service provider or vendor. Users who open the email are directed to a landing page created by the attacker and prompted to enter their credentials. If they are unaware the email request originated from a bad actor, they may provide the attacker with the keys to their personal data. According to a new report from Proofpoint, phishing attacks skyrocketed in 2018, up 70% from 2017. When successful, these attacks result in lost productivity, reputation damage, and financial repercussions. It’s important for MSPs to provide their customers (and employees) with insight and security training on how best to avoid these attacks. As a further precaution, MSPs should also limit password access through role-based permissions and multifactor authentication (MFA).
- Brute force attacks: Brute force attacks take little skill to perform, making them a favorite among inexperienced hackers. During a brute force attack, hackers rely on computer programs that assault a user’s login portal with tens, hundreds, and even thousands of requests per minute. These computer-driven programs start by guessing passwords with simple constructions, then escalate to more complex password attempts. This surprisingly effective attack is made even more effective when users implement a weak password or (worse) rely on default usernames and passwords. NIST password guidelines help MSPs keep these attacks at bay by requiring employees to develop one strong password—preferably a passphrase—that thwart attackers attempts.
- Credential stuffing: A credential stuffing attack is deployed by hackers who have gained access to at least one of the users' current login credentials, often via a list of stolen usernames and passwords shared on the dark web. This attack is like a brute force attack, but current login credentials often prove to be a much more relevant starting point. Attackers use this list to construct various credential combinations to gain access to various accounts. This method proves highly effective because far too many users fail to develop strong, distinct password variations—for example, relying on PumpkinPie!2 for one account and PumpkinPie!3 for another. MSPs who implement NIST password standards help prevent their customers and employees from succumbing to these all-too common pitfalls.
- Dictionary attack: This attack method relies on users who create short passwords containing popular words, thus earning the name “Dictionary Attack.” This method is straightforward yet highly effective, and falls within the brute force family. According to a report from eSentire, brute force and dictionary attempts were up 400% in 2017. So while the word “sunshine” might be easy for a user to remember, it’s also easy for a hacker to guess. It’s important for MSPs to advise their customers’ and employees to stay away from simple word choices and opt for unique passphrases.
Putting NIST password management into practice
Explaining the prevalence and potential damage of the attacks outlined above can provide your customers with the wakeup call they need to take password policies seriously. NIST standards were developed for a reason—they work. Leaders who fail to remove default credential settings from their employees’ accounts are missing an opportunity to educate them on the importance of unique passphrase construction—and putting their businesses in jeopardy as a result. But if detailing the facts and figures doesn’t work, this list of the most commonly used weak passwords in 2018 should at least provide some guidelines as to what to avoid:
- 123456
- password
- 123456789
- 12345678
- 12345
- 111111
- 1234567
- sunshine
- qwerty
- iloveyou
- princess
- admin
- welcome
- 666666
- abc123
- football
- 123123
- monkey
- 654321
- !@#$%^&*
Customers and employees who see some variation of their own password on this list will hopefully be startled into action. But as an MSP, it’s important you talk the talk and walk the walk by putting NIST standards into practice within your organization. Following these guidelines and leveraging cloud-based password management tools will help ensure your customers’ data is safe and secure, forcing hackers to turn elsewhere.
For more information on NIST guidelines and best practices read through our related blog articles .