Jump to content

The top 10 password attacks and how to stop them

MMT

By MMT
in Tips and Tricks

Recommended Posts

MMT Senior Member

MMT

Posted
Posted

CONTAINS LINK TO A FREEE CHECKING PROGRAM

 

 

There is no question that passwords are one of the weakest links in the overall cybersecurity of many organizations. Unfortunately, passwords are constantly under attack as they arguably provide one of the easiest ways hackers can breach your environment. To better understand how to protect passwords in your environment from attacks, let's look at the top 10 password attacks and see what your organization can do to prevent them.

Top 10 password attacks and how to stop them

Here are the 10 most common password attacks and mitigations businesses can use to prevent them from leading to network compromise and loss of business-critical data.

  1. Brute-force Attack
  2. Dictionary Attack
  3. Password Spraying
  4. Credential Stuffing
  5. Phishing
  6. Keylogger Attack
  7. Social Engineering
  8. Password Reset
  9. Old fashioned theft
  10. Password Reuse

1. Brute Force Attacks

A brute-force attack is a basic password attack carried out by hackers when they make high-volume attempts to gain access to a network using large lists of common or compromised passwords. Even a "gaming" class computer can "guess" billions of passwords each second, using today's high-powered CPU power. It proactively tries to guess the password for legitimate user accounts "by force."

2. Dictionary Attack

A Dictionary attack is a brute-force hacking method described above that uses large databases of common passwords as its source, much like a dictionary. It is used to break into password-protected assets by entering every word in a dictionary and derivatives of those words known as leetspeak and previously leaked passwords or key phrases. For instance, hackers know that users often substitute spellings for words using numbers and characters as substitutions. An example is the password P@$$w0rd.

  • Prevention steps - Password length/passphrases greater than 20 characters, block incremental/common patterns, breached password protection, custom dictionary, MFA.
  • A dictionary attack was used on January 4th, 2009 by a hacker known only as GMZ to compromise an administrator account and then change the passwords of famous accounts, including President elect Barack Obama, Britney Spears, and others.

3. Password Spraying

A password spraying attack avoids detection or lockout on an individual account by attempting one or two common passwords across many different accounts, services, and organizations. Attackers use this method to avoid the account lockout threshold that may be set from three to five incorrect attempts commonly found in many organizations.

By attempting just one password fewer than the lockout threshold, the attacker can successfully try many passwords across the organization without being stopped by default protective mechanisms found in Active Directory. The attacker picks passwords commonly used by end-users, mathematical formulas to guess passwords, or use breached passwords that have already been exposed in password dumps online.

4. Credential Stuffing

Credential Stuffing is an automated hack where stolen usernames and password combinations are thrown at the login process to break in. The credentials may be dumped from large databases of real breached accounts and passwords which are (unfortunately) readily available to purchase online. With up to a 2% success rate, credential stuffers account for more than 90% of all login traffic on many of the world's largest websites and a spew of second-hand data breaches.

5. Phishing

Phishing is an age-old attack that has been used for decades. However, regardless of its age, it is surprisingly still very effective. Phishing attacks aim to manipulate people into performing actions or divulging confidential information and are commonly attempted via email. For example, attackers masquerade as legitimate organizations or services to entice users into giving away account information.

Other phishing emails use "scare tactics with urgency" to prod users to quickly give up information. An email may contain wording such as "urgent your account has been breached." Playing on the emotions of the end-user, attackers get users to divulge information when they think they are protecting it. In organizations where personal devices are used cybercriminals can use these phishing tactics to trick end users into giving up their corporate credentials.

  • Prevention steps - Cybersecurity awareness training, MFA, configuring email banners, mail server configuration (DKIM, SPF, etc.)
  • A series of spear-phishing emails sent to Sony employees ended in more than 100 terabytes of company data being stolen, including newly released files, financial records, and customer data.

6. Keylogger Attack

A keylogger attack is used for logging sensitive information such as account information entered. It can involve both software and hardware. For example, spyware can record keyboard strokes to steal various sensitive data, from passwords to credit card numbers. If an attacker has physical access to an end user's computer, a physical hardware device can be placed in line with the keyboard to record keystrokes entered.

7. Social Engineering

Social Engineering encompasses a range of malicious activities to manipulate people into performing actions or divulging confidential information, including phishing, vishing, social media, baiting, and tailgating. For example, phishing attacks are a form of social engineering where attackers trick you into giving them sensitive information such as passwords, bank information, or control over your computer or mobile device.

Social engineering generally tries to exploit the natural inclinations of human nature. It is generally much easier for an attacker to trick you into giving you your password information than it is to hack a password using other means.

  • Prevention steps - awareness training, secure MFA methods, e.g., not secret questions
  • The famous 2011 RSA SecurID social engineering attack consisted of two different phishing emails that persuaded employees to open an Excel document to install a backdoor. It led to the compromise of RSA SecurID tokens.

8. Password reset

A password reset attack is a classic social engineering technique to gain access to a network is calling the service desk, pretending to be someone else, and requesting a new password. The hacker only needs to convince service desk staff to provide them with the new password as opposed to trying to guess or crack it. It is especially a danger to larger organizations where helpdesk staff may not personally know all employees. It’s also become a lot more common as the workforce moves to a hybrid or full remote model—as end user verification isn’t as simple as saying hello in person.

  • Prevention - Verification / MFA at the help desk, awareness training, self-service password reset (SSPR) with MFA
  • The password reset MitM attack is very simple and effective as shown by several studies.

9. Old fashioned theft

Writing passwords down is a common and very dangerous activity. The classic “post-it note with the master password” stuck to the monitor can easily turn into an all-out cybersecurity breach. Enforcing complexity in passwords can lead users to write them down. Using passphrases is a better option for memorable passwords that don’t need to be documented and left open to prying eyes. If your end users are juggling multiple passwords for business-critical systems, use a password manager. Post-it notes on a monitor or desk are a big no-no.

10. Password Reuse

Password reuse often leads to compromised systems. Research has identified over 70% of employees reuse passwords at work. Sharing passwords across personal and corporate accounts leaves your network vulnerable to account. If that hobbyist forum you've registered for gets hacked and you are using the same password in a corporate account, your password will end up on the dark web and corporate systems quickly become vulnerable.

Gain visibility into your top password risks with Specops Password Auditor

Specops Password Auditor is a free password audit tool that scans your Active Directory environment to identify password-related vulnerabilities and audit your existing password policies against common regulatory compliance recommendations. There are 14 total areas of focus, with an exported PDF of any glaring issues and how to solve them.  Recently, Specops has included a Password Age report as part of Specops Password Auditor so IT admins can effectively see the age of passwords in their environments.

Below, the Specops Password Auditor dashboard quickly shows password risks in Active Directory.

Specops Password Auditor allows seeing password risks in your Active Directory environment
Specops Password Auditor allows seeing password risks in your Active Directory environment

In our commitment to cybersecurity for all, we keep the Specops Password Auditor totally free and as a read-only tool—meaning we don’t collect any information whatsoever from it’s use. You can you it in your AD anytime, here.

 
 
 
Link to comment

Please sign in to comment

You will be able to leave a comment after signing in



Sign In Now
Go to topic listing
×
×
  • Create New...