Password attacks are an incredibly common type of security threat that we see. The objective for password attacks remains the same as ever; get access to accounts that have permissions to sensitive data. Simply put, password attacks are when attackers attempt to guess your password. That’s it. There is of course some complexity in the way that the attacks are carried out but, in general, they rely on the fact that most of us still use common or simple passwords because they are easier to remember.
In this blog, we will go through password attacks in more detail, including the different types of password attacks that you might encounter, and we’ll provide some guidance on how to prevent them.
What is a Password Attack?
Password attacks have been around for a long time (the first recorded attack was all the way back in 1962), and it remains the most tried and tested method for attackers to gain access to an organization’s sensitive data. Hackers essentially adopt the persona of real users, interacting with other users in the organizations, or escalating privileges, to move laterally within a network and achieve their aims.
Passwords can be cracked in a variety of different ways, but by far the most common cause of a successful attack is human error. Us humans are often guilty of not changing our passwords regularly, using simple or common passwords (password123) because they are easier to remember, or using the same password across multiple different accounts. The average person has around 100 passwords to manage, so it’s not a surprise that this happens.
There are 6 common ways that attackers can get access to your account through password attacks. Let’s go through them now.
6 Types of Password Attacks
- Phishing
- Man-in-the-Middle Attack
- Brute Force Attack
- Keyloggers
- Dictionary Attack
- Credential Stuffing
1. Phishing
You’ve probably heard of this one, it gets a lot of media attention. The vast majority of enterprises have already experienced a phishing attack in some form, with larger organizations being targeted specifically by attackers.
Phishing prays on that human error element to be successful. Attackers essentially pose as trustworthy sources, interacting with users through emails, texts, or other digital formats to get them to give over their credentials unwittingly.
There are varying degrees of sophistication when it comes to phising and social engineering, and the use of AI tools has enabled attackers to even create videos that look as if they are coming from loved ones or colleagues.
Usually, an end user will receive an email that looks trustworthy (it could be from a bank, from their manager, or someone they know) and that email will be asking them to take a certain action. Often, this action is to get the user to click on a link and then fill in their credentials on a fake page. The attacker can then use these credentials, and the knowledge that they are probably the same ones that are being used on multiple accounts, to gain access to sensitive data.
2. Man-in-the-Middle Attack
As the name suggests, man-in-the-middle attacks target the data whilst it is transit. In simple terms, the hacker will sit between two points (the source and the destination) and attempt to grab the data as it is being relayed between the two. If you want to visualize it, imagine three people sat shoulder to shoulder. The two on the outside are talking to each other without realizing that the person in the middle can hear everything that they are saying. More technically speaking, MiTM attacks are caused by insecure connection channels, where attackers are intercepting authentication messages between clients and servers.
Attacks like this commonly start with attackers monitoring users that are logging onto unsecure websites (like those from the phishing attacks). The credentials that are used are relayed to the attacker, and the user is directed to a scam website. From the perspective of the user, they think they are perusing a legitimate website, all whilst the attacker is collecting information about them.
3. Brute Force Attack
Brute Force Attack is the least sophisticated type of password attack, but that doesn’t make it any less effective! Again, this attack relies on the fact that users have easy to guess passwords. Attackers essentially resort to trial and error on a large scale. They attempt potentially thousands of different password variations across multiple accounts within an organization until they guess correctly. Recently, attackers have used more sophisticated automation tools to massively speed up the process. There are also banks of common password types that these attackers all have access to (almost like dictionaries for our passwords) that they can share with each other to increase their success rates.
4. Keyloggers
Keyloggers are a type of malicious software designed to capture and report every keystroke to a hacker. These malicious programs often masquerade as legitimate software, and unsuspecting users may download and install them without realizing their sinister intent.
To protect yourself from keyloggers, it’s essential to take a proactive approach. First, ensure you’re familiar with your computer’s physical hardware and the surrounding area, as an unauthorized person could secretly install a hardware keylogger to collect your keystrokes.
Additionally, run regular virus scans with reputable antivirus software to detect and flag any malicious keyloggers. Antivirus companies maintain records of common malware keyloggers and can alert you to potential threats.
5. Dictionary Attack
A dictionary attack is a type of brute force attack that relies on commonly used words and phrases, often compiled into “cracking dictionaries”. Sophisticated attackers can even use personal information, such as birthplaces, children’s names, or pet names, to conduct a more targeted attack.
To prevent these types of attacks, it’s essential to avoid using dictionary words as passwords and to never use information that can be found in a book. If you do need to use passwords, consider using a password management system to generate complex and unique passwords. Additionally, it’s crucial to implement security measures such as locking accounts after repeated failed login attempts, limiting the number of attempts before locking out, and investing in a password manager to protect your online accounts.
6. Credential Stuffing
If you’ve ever fallen victim to a hack, you’re likely aware that your old passwords may have been leaked onto a shady website. Unfortunately, hackers can exploit this by attempting to log into your accounts using various combinations of former usernames and passwords, which they hope you never changed after the breach.
To prevent credential stuffing, it’s crucial to take proactive measures. Start by monitoring your accounts, either through paid services or free resources like haveIbeenpwned.com, which can alert you to any recent leaks involving your email address.
Additionally, make sure to regularly change your passwords to minimize the risk of a hacker successfully cracking them. Another important step is to use a password manager to maintain strong, secure passwords that can withstand even the most sophisticated attacks.
How To Prevent Password Attacks
The most effective way to prevent a password attack is to implement a comprehensive security policy that includes a range of measures to safeguard vulnerabilities. One such measure is to adopt multi-factor authentication, which requires users to verify their identity using a combination of factors, such as a physical token or a personal device like a mobile phone. This added layer of security ensures that passwords are not the sole means of access, making it much more difficult for hackers to gain unauthorized access.
Another important aspect of a robust security policy is remote access. By using a smart remote access platform, allowing users can log in securely and confidently, without having to rely on individual websites to verify their identity. Furthermore, incorporating biometric authentication, such as fingerprint or facial recognition, provides an additional layer of security. As a hacker would struggle to replicate these unique physical characteristics, enabling biometric authentication helps to turn passwords into just one of several points of trust that a hacker must overcome.
A lesser known way to detect and respond to password attacks is to adopt a real-time auditing solution, like The Lepide Data Security Platform. This solution can detect and respond to events that match a pre-defined threshold condition, such as when a certain number of failed logon attempts occur within a given period of time. If the threshold is met, a custom script can be automatically executed to stop the attack in its tracks. This might include disabling a specific account or process, changing the firewall settings or even shutting down the affected server.
The Data Security Platform can also show you all your users that have non-compliant passwords (set to never expire). These accounts are ripe for password attacks.