Stolen, weak and reused passwords are the leading cause of hacking-related data breaches and a tried-and-true way of gaining access to your IT resources. And with billions of credentials available on the dark web, cybercriminals don’t have to go to great lengths to find compromised passwords. To get the best return on investment, hackers are looking for easy access—and improving your password security puts up more barriers for them to overcome.
There are different password attacks and ways to mitigate your risk, all following best practices for security:
Brute-Force Attack
A brute-force attack is a type of password attack where hackers make numerous hit-or-miss attempts to gain access. It is a simple attack and often involves automated methods, such as software, for trying multiple letter-number variations.
Employing an extensive number of possibilities takes a long time, so attackers must look for efficiencies. To generate a list of potential combinations, they often start with easy choices, such as common or short passwords. If they know the password requirements for a specific provider [such as the minimum number of characters accepted], the attackers will apply those criteria as well.
Keylogger Attack
A keylogger is spyware that records a user’s activity by logging keyboard strokes. Cybercriminals use keyloggers for stealing a variety of sensitive data, from passwords to credit card numbers. In a password attack, the keylogger records not only the user name and password but also the website or app where those credentials are used, along with other sensitive information.
Keyloggers can be either hardware or software. Since planting hardware on a device takes a lot of extra work, the threat actors are more likely to install malware on a computer or device by luring a user to click on a malicious link or attachment. Some keyloggers also come bundled with software [like “free” apps] that users download from third-party sites.
Dictionary Attack
A type of brute-force password attack, a dictionary attack is based on a list of commonly used words and phrases, as well as often-used passwords. To avoid having to crack a long list of possible passwords, attackers narrow down the list to what’s known as dictionary words.
Those words are not limited to actual words in the dictionary. They could also include popular names of pets, movie characters and people. Hackers will also throw in variations by appending letters with numbers and special characters [e.g., substituting the letter O with number 0].
Credential Stuffing
Credential stuffing is similar to brute-force in that attackers use trial-and-error to gain access. However, instead of guessing passwords, they use stolen credentials. Credential stuffing works off the assumption that many people reuse their passwords for multiple accounts across various platforms.
Over the years, numerous breaches of websites and cloud-based services have resulted in a massive number of compromised credentials. Just one single major-provider breach can yield millions of victim accounts, which cybercriminals then sell, lease or give away on the dark web.
Attackers use credential stuffing to verify which stolen passwords are still valid or work on other platforms. As with brute-force attacks, automated tools make these password attacks incredibly successful.
Man-in-the-Middle
A man-in-the-middle scenario involves three parties: the user, the attacker and the third party with whom that the person is trying to communicate. In a password attack, cybercriminals typically impersonate the legitimate third party, often through a phishing email.
The email looks authentic and may spoof the third-party’s email address to throw off even savvier users. The attackers try to convince the recipient to click on a link that goes to a fake but authentic-looking website, then harvest the credentials when the user logs in.
Traffic Interception
Traffic interception, a variation on the man-in-the-middle attack, involves the threat actors eavesdropping on network traffic to monitor and capture data. A common way of doing that is through unsecured Wi-Fi connections or connections that don’t use encryption, such as HTTP.
Even SSL traffic is vulnerable. For example, a hacker can use a man-in-the-middle attack in what’s called SSL hijacking. SSL hijacking is when someone tries to connect to a secure website, and the attacker creates a bridge of sorts between the user and the intended destination and intercepts any information passing between the two, such as passwords.
Phishing
Phishing is a versatile approach. Cybercriminals use different phishing and social-engineering tactics, from phishing emails for man-in-the-middle attacks [as described earlier] to a combination of spear-phishing and vishing [a multi-step password attack that includes a voice call and a link to a malicious site that harvests credentials]. The latter has been used in attacks targeting employees’ VPN credentials.
Phishing attacks typically create urgency for the user. That’s why the emails often claim a bogus account charge, service expiration, an IT or HR issue or a similar matter more likely to get the person’s attention.
Password Spraying
Another form of a brute-force attack, password spraying involves trying a large number of common passwords on a small number of user accounts, or even on just one account.
Attackers go to great lengths to avoid detection during password spraying. Usually, they’ll do some reconnaissance first to limit the number of login attempts to prevent account lockup.
How to Prevents Attacks
The best way to prevent password attacks is to adopt best practices for password hygiene and management. Easy-to-hack environments that have a weak security posture are much more appealing to opportunistic cybercriminals. Boosting password security significantly improves your ability to avoid a data breach. Password best practices include:
- Requiring long, complex passwords that are unique for each website or account
- Implementing multi-factor authentication whenever possible
- Adopting a password manager to simplify password management and to ensure secure storage
Your IT team should also limit access to privileged accounts and add additional security layers for those accounts. Of course, educating all your employees and other stakeholders about password security is also a proven means of prevention. With security breaches becoming the new norm, organizations and their employees can play a key role in maintaining their organization’s security posture.
Password Management Solutions
Attacks are becoming more sophisticated as hackers adopt more advanced tools and automation. Implementing a robust password management program is not only a security best practice, but it also simplifies password management for IT administrators and employees—making jobs easier while reducing risk to your organization. Find the right solution for your current and future security needs with SailPoint.