Password Attacks

As attack methods grow increasingly sophisticated, stay up to date on the latest emerging threats in our 1H 2024 Threat Intelligence Report [Key Findings from Ontinue’s 1H 2024 Threat Intelligence Report | Ontinue]

Secure Your Business against the Most Insidious Password Attacks being Used Today

Since the earliest days of computing, passwords have been the go-to method for securing sensitive data and restricting system access. Now, nearly every digital account, tool, system, and even many websites require that users log in with unique profiles and passwords before they’re allowed to proceed. It’s the world we live in, it’s nothing new, and most of us have come to accept it.

But even if our reliance on passwords has remained consistent, the threats to password security have not. Today, passwords are more vulnerable than ever; passwords and credentials were exploited in 81% of company data breaches in 2020, making password attacks the most-commonly-used threat vector for cyber criminals to gain access to otherwise-secure systems. To combat these mounting threats, system administrators around the world have enacted stricter and stricter password requirements. But while longer password lengths and the inclusion of special characters may make a password more difficult to crack, it also makes it more difficult to use.

The end result? Frustrated employees who take their own steps to make password management more manageable. Unfortunately, by reusing passwords, creating easy-to-remember (and easy-to-guess) passwords, and saving password information in insecure areas, these users are putting themselves, their companies, and others at risk.

Here, we take a look at password attacks, what common types and categories you need to be aware of, and how you can protect your vital data in an era where traditional approaches to passwords may no longer be effective.

Password Attack: Definition

A password attack is any attempt to exploit a vulnerability in user authorization within a digital system. And just as there are a near-infinite number of possible passwords, there are many different methods that a cybercriminal may employ to maliciously authenticate into a secure account. But in every case, the cybercriminal’s goal is the same: taking advantage of vulnerable passwords to get into a system where they can then compromise sensitive data.

A single broken password can open the floodgates of a devastating data breach. And given that the average cost of a data breach in 2022 is USD 4.35 million (up 2.6% from 2021), defending against password attacks has never been more important.

What Are the Most Common Types of Password Attacks?

Computer systems have relied on username/password authentication for longer than any other form of digital security. This has given threat actors a lot of time and experience to identify common vulnerabilities and create effective techniques for illegally obtaining user passwords. Some approaches are as simple as attempting to ‘guess’ a password and username, while others are extremely complex and may involve automated password-attack tools or other illicit technologies designed to help unauthorized users gain access.

The following is a list of some of the most widely-used password attacks that continue to pose a threat to company, client, and employee data:

Phishing
Perhaps the most common type of password attack, phishing involves a hacker pretending to be a trusted party and reaching out to their target requesting that they share personal login information. This often takes the form of a password-reset request or an account-confirmation email and can go as far as installing malicious code on the target’s machine when the provided link is accessed.

Man-in-the-Middle Attack
In a man-in-the-middle (MitM) attack, a hacker positions themself between a user and the system they are accessing. This form of wiretapping often capitalizes on unsecured Wi-Fi connections or unencrypted communications and allows the attacker to intercept or modify the data being communicated with the application. The hacker can then capture, or even replace, login credentials.

Brute Force Attack
Not every type of password attack involves subterfuge. A brute force attempts to gain access to restricted accounts and networks through trial and error, trying a large number of username and password variations. Often, brute force attacks are facilitated by digital tools, making it possible for attackers to try potentially trillions of combinations in a short amount of time.

Credential Stuffing
It seems like the first thing a target would want to do after suffering an attack would be to change their login credentials. Unfortunately, many victims continue to use the same (or similar) usernames and passwords — particularly if they aren’t aware that their information has been compromised. Credential stuffing is a kind of password attack that uses leaked login information captured during a previous attack in an attempt to gain further access.

Keylogging
Keylogging is made possible by malware infection. A keylogger program is downloaded onto the target’s device (generally by masquerading as a legitimate download), where it can then record and share the user’s keystrokes — including their usernames and passwords — with the attacker.

Rainbow Table Attack
One of the more complex kinds of password attacks, a rainbow table attack applies a similar approach as brute force attacks. The difference is that these attacks attempt to decipher password encryptions rather than directly guess the passwords themselves. Rainbow tables incorporate known solutions to common encryption algorithms, reaching into the system itself to expose the database of authorized login information.

How to Prevent Password Attacks

Whether casting a large net or directly targeting a single user, attackers have many tried-and-true options for stealing passwords. The good news is that there are actions your organization can take to defend your vital user credentials and login information from malicious threats.

In essentially every case, preventing a breach is easier and more effective than attempting to deal with one after the fact. Training employees in security best practices — particularly where passwords are concerned — is perhaps the most vital, most powerful step you can take towards securing your systems. When authorized users are aware of the threats and committed to doing their part to counter them, then the risk of password theft decreases significantly.

Organizations can further protect user credentials by taking the following steps:

Implementing Multi-Factor Authentication
Don’t trust system access to passwords alone; implement multi-factor authentication (MFA) to more accurately verify users. MFA solutions send verification requests to the user’s registered mobile phone or another personal device, creating an additional gate to access, without unnecessarily restricting those who have the correct permissions.

Using a Password Manager Tool
It’s a standard complaint — the more complex and secure the password, the more difficult it is to remember and use. Password manager tools simplify this approach, by storing, generating, and managing diverse passwords in a single, safe location.

Disallowing Password Hints
Even the most secure password becomes completely useless when it’s protected by a guessable ‘hint.’ Employees that use their favorite sport, mother’s maiden names, childhood home addresses, or other publicly available information may be handing the keys to their accounts over to anyone willing to do some basic research. By disallowing hints for company accounts and instead forcing employees to go through IT for password resets, you can eliminate one of the most direct forms of password attack.

Apply Effective Network Access Control
The recent shift to remote- and hybrid-work environments has created a flood of new end-point devices connecting with company networks. Network access control (NAC) exists to add additional security layers by further restricting the availability of network resources. Unfortunately, creating an effective NAC solution in-house can be extremely challenging and expensive. To defend against password attacks and other data-security threats, businesses in industries around the world are making the switch to extended detection and response (XDR) providers, incorporating teams of cyber-security professionals armed with the latest threat detection and response tools, for unmatched network security.

Prevent Password Attacks with Ontinue

For as long as we use passwords for authentication, threat actors will continue to try to exploit login vulnerabilities, steal credentials, and masquerade as authorized users.

But that doesn’t mean that you need to leave your networks vulnerable. Understand the threats that face your data, coach your employees on how they can secure their passwords, and take the necessary steps to defend your organization from password attacks. And, for the most-effective approach to digital security, contact Ontinue today. As a consistently award-winning managed detection and response (MDR) solution, Ontinue has the additional security layers you need to defend your data.

See what top-quality cybersecurity can do for your business, contact Ontinue.