The 2022 Microsoft Digital Defense Report has highlighted a worrying cybercrime trend – A massive increase in password attacks. In the past year there has been a 74% increase in password attacks, which are now occurring at a rate of 921 attacks per second.
Password spraying and credential stuffing attacks are increasing despite improving cybersecurity awareness. Password spraying is a brute force attack that involves the use of a list of default and commonly used passwords. They are tried against multiple accounts in the hope that an account has been poorly secured. To get around account lockouts, one password is used against multiple accounts before moving on to the next password.
Credential stuffing attacks exploit another poor password practice – The use of the same password to secure multiple accounts. Passwords obtained in data breaches at one service are used to try to access accounts on another service. One recent survey suggests that 62% of people use the same password most of the time. Were than not to be the case, credential stuffing attacks would not be successful. These attacks are automated and require very little effort, which is why these brute force attacks are so popular.
These brute force attacks take advantage of poor password hygiene. It is convenient to set the same password for all accounts, or to use variations of the same password. Remembering multiple complex passwords is difficult and given the number of accounts that a typical person needs to create and secure, virtually impossible without taking some shortcuts.
The easiest way to solve this and improve password hygiene with minimal effort and inconvenience is to use a password manager. Password managers are low-cost solutions that make a big difference to password security. Bitwarden, for example, has an impressive free tier, and the personal version with all the bells and whistles is just $10 per year. Password managers suggest, unique complex passwords for all accounts, will store the passwords securely, make sharing passwords secure and simple, and they will even autofill the passwords when they are needed, so you will only ever need to remember one password – the one to access your password vault.
Phishing attacks have also been increasing. Phishing exploits human rather than password management weaknesses and involves social engineering techniques to trick people into disclosing their passwords. These attacks often succeed due to the failure to implement multi-factor authentication. Microsoft reports that adoption of MFA is on the rise, but businesses have been slow to adopt MFA, despite this simple measure being one of the most effective ways of improving account security.
It is worth noting that phishing campaigns are now being conduced that are successfully bypassing some forms of MFA, which is why the U.S. Cybersecurity and Infrastructure Security Agency (CISA) is strongly encouraging all businesses to adopt phishing-resistance MFA. Phishing-resistant MFA is the gold standard for multi-factor authentication and is resistant to attacks involving phishing kits with reverse proxies that bypass weaker forms of MFA by stealing session cookies in real time. It is also strongly recommended to implement network segmentation and zero-trust and least privilege principles, so that in the event of access to an account being gained through a brute force or phishing attack, it will be hard for the attacker to gain full access to the network using a single set of credentials.