Types of Password Attacks and How to Prevent Them
Password attacks remain the most popular method for hackers attempting to breach accounts and obtain sensitive data, but passwordless security methods can eliminate this threat altogether.
When people hear the words “password attack” they often imagine a rogue actor typing furiously at a dimly lit desk, inputting numerous potential credentials until they gain access to a user’s private account. While this portrayal is partly true, malicious actors have gotten more imaginative, resourceful, and adaptive in the game of cracking passwords. As a result, to outsmart attackers, users must remain vigilant by practicing proper IT hygiene.
However, with hackers leveraging various advanced methods to steal and exploit passwords, what can users and administrators do to prevent credential-based breaches? This guide will explain the different types of password attacks, methods used to perform them, and best practices for safeguarding credentials and migrating to a passwordless infrastructure.
What Is a Password Attack?
Password attacks have been around for decades and are the most traditional means of breaching an individual user’s or organization’s sensitive data. Their long-standing efficacy is rooted in the fact that hackers can imitate a legitimate user, causing the people they interact with to falsely assume that they’re engaging with a known contact. By adopting a particular user's identity and access privileges, hackers can compromise the data of that user and their associated contacts.
How Are Passwords Cracked?
From alarmingly convincing emails to cloned websites, adversaries have mastered the art of deception. The key to their success? Human error. The 2021 Thales Data Threat Report found that almost half (45%) of US companies suffered a data breach in the past year. And according to Verizon’s 2022 Data Breaches Investigations Report, 82% of data breaches involved a human element.
Every time a user recycles the same password for a new account or mistypes a URL and is directed to a malicious site, they risk their confidentiality and the security of their affiliated organization. Emphasizing caution and attentiveness is crucial in preventing human error and the devastating breaches that can follow. But to effectively implement safe IT practices, users need to know what they’re up against.
Types of Password Attacks
Hackers have had plenty of time to refine their breaching techniques to bypass increasingly sophisticated authentication measures, and are constantly switching tactics to avoid being detected and increase their success rate. Users and admins can learn how to sufficiently protect themselves and their assets from rogue actors by understanding how common password attacks are performed. Here are five types of password attacks all users should look out for.
Phishing involves the hacker masquerading as legitimate entities through various communication channels, such as email, SMS messages, and phone calls. The hacker might pose as a university, government agency, insurance company, or any other number of legitimate parties that might be corresponding with you, to access confidential information.
A classic example of this is a user receiving an email from what appears to be a major retailer offering a gift card. The user clicks on the “redeem” button and is taken to a convincing website where they’re prompted to enter their personal information to access their gift card. In reality, the fake website sends this information to adversaries who can then leverage the user’s personal information to break into other accounts, steal their identity, access bank records, and more.
Since this email trick is widely known, cybercriminals have come up with novel ways to deceive unassuming victims, which include:
- Clone phishing, where a hacker uses a template from a legitimate email but replaces all legitimate links with false ones.
- Spear phishing, where an attacker targets a specific individual using the credentials and appearance of a close contact.
- DNS cache poisoning, where adversaries rewrite Domain Name System information to reroute users to malicious sites.
- URL hijacking, where cybercriminals take advantage of users who mistype legitimate URLs, crafting false websites that closely resemble actual sites with nearly identical domain names.
As of late, many hacking attempts have become especially persuasive, with adversaries threatening legal action against victims who don’t comply with their demands. Users should always fact-check potentially scam emails, calls, and text messages and report suspicious behavior before responding to supposedly urgent demands.
As its name suggests, these attacks are caused by insecure connection channels, where hackers can intercept authentication messages between clients and servers.
Essentially, the attack begins with an adversary monitoring users who log into an insecure website. The login data gets relayed to the hacker, and the user is directed to an illegitimate website. As the user peruses this website, data is collected about their online behavior, credentials, and account attributes. From the user’s perspective, it appears as if they’re safely accessing their personal data, all the while feeding rogue actors the information they want.
Brute Force Attacks
Some hackers resort to simple trial and error. Through brute force attacks, adversaries try different possible password combinations until they successfully log into an account or system. Nowadays, many use automated tools to speed up the permutation process.
Unfortunately, many users aren’t careful with the passwords they set. Frequent practices that lead to password vulnerabilities include:
- Utilizing the same password across all accounts, which are all compromised once an attacker breaks into a single account.
- Setting a password that’s too simple and easy to guess, such as “password” or “123456789”.
- Setting a password that relates to personal data about the user.
- Including standard dictionary terms in a password, even if stylized with special characters.
Hackers are aware of these security mishaps and are quick to exploit them through hybrid brute force attacks and reverse brute force attacks. Hybrid brute force attacks harness both traditional guessing methods and automated permutation tools, whereas reverse brute force attacks use known or stolen passwords to uncover corresponding usernames. Dictionary attacks and credential stuffing are two popular examples of each.
Attackers use lists of stolen or leaked passwords and common words to develop highly probable password combinations for certain entities and networks. For example, users or admins with a medical account for a New York-based healthcare clinic might embed words like “NY”, “health”, “medicine” and similar variations into their passwords so they’re easier to remember — but this also makes them easier to guess.
Cybercriminals know that most users like to re-use password-username combinations across different platforms, so in the event of a successful data breach, they use stolen credentials to log in to different accounts. Reverse brute force attacks are most effective here since legitimate passwords are often associated with the same email address or username across sites.
To combat login attempt restrictions and account lockouts — which also tend to notify users of suspicious activity — adversaries have developed a method called password spraying, where one password is used across multiple websites, before trying the next possible password.
In this approach, hackers rely on the fact that most lockout policies are triggered by too many false attempts within a designated period. By the time an attacker moves on to the next password and rotates back to the first website, the lockout policy resets and does not count the previous failed attempt. This keeps all activity undetected, granting more time and privacy for malicious actors to keep trying until they find the correct password. However, this method only applies to single sign-on applications, as additional authentication measures complicate this process.
A more advanced method, keylogging, involves a hacker installing surveillance software onto a user’s device to record and log keystrokes. From this information, the attacker can find confidential information such as social security numbers, login credentials, bank account and routing numbers, and medical records, to name a few.
Keylogging spyware can be installed or exploited through:
- Hardware components or dongles directly connected to physical computer setups, such as USB disks, hidden cameras, or keyboard attachments.
- Malicious software disguised as legitimate supplemental software, like virus scanners and productivity applications.
- Devious internal actors exploiting an organization’s keylogging software intended to track employee activities.
While hardware keylogging equipment is extremely challenging to implement with secrecy, it’s still a serious threat that warrants protective measures. Additionally, keylogging software has been on a steady rise, meriting a strong need for users to be more vigilant.
There are an overwhelming array of password attacks to safeguard yourself against, but several best practices can help your organization secure every user touchpoint and communication channel.
To start, reduce the risk of human error. Enforce more robust policies surrounding password generation, management, and use. For example, have employees avoid using short and simple word and character combinations and, instead, encourage them to use auto-generated passwords that are far too complex to guess with any brute force tactic.
Furthermore, invest in an organization-wide training program that regularly educates and reminds employees of proper IT practices to prevent common mistakes and vulnerabilities, and to combat emerging attack strategies they may encounter.
After prioritizing human error mitigation techniques, consider adopting applications and tools that will automate maintenance procedures and trigger notifications in the event of a breach or abnormal behavior, such as:
- Multi-Factor Authentication (MFA): MFA prompts extra authentication checkpoints to ensure that the identity of a user attempting to gain specific access or privileges is valid. It uses factors like one-time passwords, biometric scanners, voice recognition, and device identification to verify the actual user. MFA is extremely helpful in protecting users whose passwords have been compromised since hackers would also need access to these highly unattainable factors to infiltrate an account.
- Virtual Private Network (VPN): VPNs establish secure online connections so that users can safely and privately access, share, and manipulate data over the internet. Designed to deter man-in-the-middle attacks, VPNs hide user IP addresses for anonymity, encrypt connection data, and shield online user activity using a proxy server.
- Router Encryption: Like VPNs, enabling encryption settings on your router keeps all internet traffic that runs through it secure and undetectable. All Wi-Fi routers are equipped with encryption features, so check your router’s manual for instructions on how to implement them.
- Password Management: Password managers provide a centralized hub where admins can glance at real-time metrics concerning password use and vulnerabilities. They also automate many management tasks, like password generation, while gauging password strength and securely storing credentials in organized, encrypted files.
Passwords should always be handled with the utmost care and attention, but the best way to prevent password attacks is by getting rid of them completely.
The overarching problem with password-related security measures is that cybercriminals will always find new ways around them: password spraying emerged as a result of account lockout policies, and clone phishing developed as awareness of scam emails heightened. To eliminate the prevalence of password attacks, many organizations are opting to omit passwords entirely, leaving hackers stranded with obsolete data.
Migrating to a passwordless environment saves enterprises time and money traditionally allocated to managing and protecting credentials, but it’s a feat that should be done gradually to avoid exposing any security gaps. Experts recommend slowly incorporating cryptography-based authentication, ephemeral certificates, and just-in-time (JIT) access features into existing architectures until all passwords are phased out.
Doing this will help eliminate the risk of falling for phishing emails that ask for login credentials, better align organizations with cybersecurity compliance standards, keep data environments clean and organized, and drastically reduce the margin for human error. If you’re unsure of where to start, SSH has just the right solution for you.
Embracing Passwordless and Keyless Security with SSH
PrivX is a cost-efficient, scalable, and highly automated privileged access management (PAM) solution with support for hybrid and multi-cloud environments. This industry-leading solution facilitates any combination of password vaulting, rotation, and passwordless authentication for connections and as per context.
With PrivX’s just-in-time, Zero Trust approach, you can enhance your privileged access security, mitigate insider and third-party threats, accelerate your PAM operations and productivity, and adopt Zero Trust authentication methods at a pace that suits you. This hybrid solution even allows you to manage existing credentials as you gradually transition to a fully passwordless and keyless environment.
Reach out to us today to learn more about how PrivX can help your business transition into a future-proof security framework, without compromising operations.