Resources

What is Credential Hygiene?

Written by Will Shaw | Jul 6, 2022 11:03:00 AM

Good credential hygiene is vital to ensure the protection of your business assets...

Good credential hygiene is critical to protecting your company's assets. Credential hygiene refers to how we handle credentials at both the individual and organisational levels. Credential hygiene can help to prevent credential theft.

Today, our credentials can be stolen in a variety of ways. Here are a few examples:

Phishing

Attackers use phishing to steal credentials. It is a low-cost and effective strategy. Unlike malware and exploits, which rely on weaknesses in security defences, the effectiveness of phishing is dependent on human interaction in an attempt to deceive employees.

Implementing a strong security awareness training policy is the best way to add a human layer to your security. Everyone makes mistakes from time to time, but without ongoing training from vendors such as KnowBe4, phishing can be disastrous for businesses.

Social Engineering

Social engineering targets the weakest link in security: humans. These types of attacks are common and frequently successful. Social engineering is primarily a psychological attack that tricks humans into doing something they would not do otherwise based on social trust. Social engineering can occur in a variety of ways, including in person, over the phone, via social media, and via email phishing.

To safeguard your company, you should confirm the identity of anyone requesting sensitive information or passwords. Never share sensitive information, particularly passwords, with anyone you don't know, trust, or cannot verify. However, even if you trust someone, you should never share your passwords with them. Password managers, such as Keeper, provide a solution for password secure password sharing.

Credential Stuffing

Credential stuffing happens when an attacker already has your username and password combination, which is commonly obtained from data breaches. Attackers will then send automated requests containing these username and password combinations in an attempt to log in as you. If successful, attackers can steal sensitive data, change your account settings, or even impersonate you.

A targeted credential stuffing attack may succeed on the first attempt, whereas a large-scale campaign may attempt millions of combinations against a single site. Dark web monitoring vendors like Trillion provide the best form of defence against this type of attack. Trillion constantly monitors the billions of account credentials that pass through dark markets and criminal forums in search of the few hidden accounts that may affect you or your customers.

Password Cracking Techniques

Password cracking techniques are used by attackers to obtain passwords for systems and accounts. Brute force attacks, dictionary attacks, and rainbow table attacks are the three most common password cracking techniques.

Dictionary attacks occur when an attacker attempts to guess the password using a dictionary list of words and combinations of dictionary words. Brute force attacks go beyond the scope of a dictionary attack. To "guess" the correct password, the attacker will try various combinations of letters, numbers, and special characters. Rainbow table attacks occur when an attacker attempts to find a password based on its hash using a precomputed table of hashes based on common passwords, dictionary words, and pre-computed passwords.

When an attacker has your credentials, it is more difficult to detect suspicious activity. As stated in the article, it is critical that each of your accounts are protected by strong and layered security features.

You can learn more about the factors that should be considered when practising good credential hygiene in our in our webinar on the 26th July at 10am.