While passwordless authentication is becoming more popular, passwords remain the most common way of securing accounts and preventing unauthorized access. Passwords provide a degree of security, but there are several different password attacks that are effective at obtaining passwords to access the accounts they protect. In this post, we explain the most common password attacks, why they work, and how you can prevent them.
Common Password Attacks
Brute Force Attacks
Brute force attacks have been conducted for as long as passwords have been used to protect accounts. They are the most basic form of password attack and involve a trial-and-error process of trying to guess the correct password. These could be attempts to guess the PIN of a credit or debit card or automated attacks using every conceivable password for an online account.
While there are many possible combinations of passwords containing any of 26 lower-case, 26 upper-case, 10 digits, and 33 special characters, the latest GPUs make short work of those guesses. Without account lockouts for failed password attempts, it would be possible to crack an 8-character password in around 39 minutes, according to Hive Systems.
In theory, any combination of characters could be used for a password, but in practice that does not happen. Users need to be able to remember passwords and often use dictionary words or phrases. Dictionary-based attacks take advantage of this. A list of all dictionary words can be used, in addition to pet names, sports teams, movie names, band names, and more, with variations also included and common substitutions – numbers for letters. Dictionary-based attacks have a higher success rate than standard brute force attacks.
A password spraying attack is a type of brute force attack that uses commonly used passwords to try to access multiple accounts. In this attack, the username is brute-forced, and a common password is used to try to access each account. The process is then repeated using another commonly used password. In an attack on a large company, where the usernames are worked out (usually the email address of the employee), these attacks can be effective, even if account lockouts have been implemented as each account is targeted slowly.
Credential stuffing attacks can be even more successful than standard brute force attacks. These attacks involve using username and password combinations that have been obtained in data breaches at one company, to access accounts at another. These attacks succeed because many people reuse passwords for multiple accounts. Hackers often trade username/password lists on hacking forums, and collections of millions of password combinations can be used in credential stuffing attacks. The 2011 hack of Sony is believed to have been the result of a credential stuffing attack.
Keylogging is the recording of keystrokes on a computer using malware – a keylogger. When the keylogger is running, it will record all keystrokes, some of which will be passwords. These attacks will also record the web address as it is entered, so the attacker will be able to tell which account the username and password are for. Keyloggers are distributed in phishing campaigns and are often bundled into pirated software and product activators.
Phishing is one of the most common methods of gaining access to accounts. Emails are sent to users (or text messages, instant messages, or voice calls) and social engineering techniques are used to convince the recipient to disclose their credentials. In email phishing, this is usually an urgent request to visit a fake website – to prevent an account charge or loss of service for instance. When login credentials are entered, they are recorded and used to access the account.
How to Avoid These Common Password Attacks
Brute force attacks, dictionary attacks, password spraying, and credential stuffing attacks take advantage of poor cyber hygiene, and users creating passwords that are easy to remember and quick to type in. They can all be prevented by creating a long, complex, and unique password for every account. In practice, that isn’t easy without using a secure password generator and a password manager. Password managers include secure password generators that will generate random strings of characters for passwords (and even usernames with Bitwarden). The passwords are stored securely in an encrypted vault and are autofilled when required. The user only needs to create and remember a long and complex passphrase to access their vault. As an additional protection, multifactor authentication (MFA) should be enabled on all accounts. With MFA, even if the password is guessed, it cannot be used to access the account without a second authentication factor being provided.
To prevent keyloggers from being installed, antivirus software should be used and software and applications should only be downloaded from official software providers. Pirated software, music, TV shows, and movies should also be avoided, and care should be taken opening email attachments.
Phishing can be prevented by using a spam filter and exercising caution when opening emails, especially unsolicited emails from unknown senders that provide an urgent reason for opening an attachment or visiting a link. MFA should also be enabled on all accounts.