1. Random Guesses Usernames are the portion of credentials that do not change, and are also highly predictable, regularly taking the form of first initial plus surname. Usernames are commonly an email address, something widely communicated. An attacker now has half the details needed to log into many of your systems. All that’s missing is the password. A random password guess rarely succeeds unless it’s a common password, or based on a dictionary word. Knowing information about the target identity enhances the likelihood of a successful guess by a threat actor. This information is gathered from social media, direct interaction, deceptive conversation, or even data aggregated from prior breaches. The most common variants for passwords susceptible to guessing include these common schemas:
While automated password cracking tools are not necessary for password guessing attacks, they will improve the success rate. Password guessing attacks tend to leave evidence in event logs and result in auto-locking of an account after “n” attempts. When account holders reuse passwords across multiple resources with poor password hygiene practices, then the risks of password guessing and lateral movement dramatically increase. 2. Dictionary Attacks Dictionary attacks are an automated technique utilizing a list of passwords against a valid account to reveal the password. The list itself is a dictionary of words. Basic password crackers use lists of common single words like “baseball” to crack a password, hack an account, and reveal the complete credential. If the threat actor knows the password length and complexity requirements of the target account, the dictionary is customized to the target. Advanced password crackers often use a dictionary and mix in numbers and symbols to mimic a real-world password with complexity requirements. An effective dictionary attack tool lets a threat actor:
A weakness of dictionary attacks is that they rely on real words and derivations supplied by the user of the default dictionary. If the real password is fictitious, uses multiple languages, or uses more than one word or phrase, it should thwart a dictionary attack. The most common method to mitigate the threat of a dictionary attack is account lockout attempts. After “n” times of wrong attempts, a user’s account is automatically locked for a period of time. It must be manually unlocked by an authority, like the help desk or via an automated password reset solution. However, the lockout setting is sometimes disabled. Thus, if logon failures aren't monitored in event logs, a dictionary attack is an effective attack vector for a threat actor. 3. Brute Force Brute force password attacks utilize a programmatic method to try all possible combinations for a password. This method is efficient for passwords that are short in string (character) length and complexity. This can become infeasible, even for the fastest modern systems, with a password of eight characters or more. If a password only has alphabetical characters, including capital letters or lowercase, odds are it would take 8,031,810,176 guesses to crack. This assumes the threat attacker knows the password length and complexity requirements. Other factors include numbers, case sensitivity, and special characters in the localized language. With the proper parameters dialed in, a brute force attack will always find the password, eventually. The computing power required and length of time it takes often renders brute force tests a moot by the time it has completed. The time it takes to perform attacks is determined by the time it takes to generate all possible password permutations. Then, the response time of the target system is factored in. Brute force password attacks tend to be the least efficient method for hacking a password. Thus, threat actors use them as a last resort. 4. Credential Stuffing Credential stuffing is an automated hacking technique that utilizes stolen credentials. These credentials are comprised of lists of usernames, email addresses, and passwords. The technique generally leverages automation to submit login requests directed against an application and to capture successful login attempts for future exploitation. Credential stuffing attacks do not attempt to brute force or guess any passwords. The threat actor automates authentication based on previously discovered credentials using customized tools. This approach can entail launching millions of attempts to determine where a user potentially reused their credentials on another website or application. Credential stuffing attacks prey on password reuse and are only effective because so many users reuse the same credential combinations across multiple sites. 5. Password Spraying Password spraying is a credential-based attack that attempts to access many accounts by using a few common passwords. Conceptually, this is the opposite of a brute force password attack. Brute force attempts to gain authorized access to a single account by repeatedly pumping large quantities of password combinations. During a password spray attack, the threat actor attempts a single, commonly used password (such as “12345678” or “Passw0rd”) against many accounts before proceeding to attempt a second password. The threat actor tries every user account in their list with the same password before resetting the list and trying the next password. This technique minimizes the risk of the threat actor's detection and lockouts on a single account due to the time between attempts. With poor password hygiene by any one user or on any single account, the threat actor will likely succeed in infiltrating the resource.
Password attacks are one of the most common forms of corporate and personal data breach. A password attack is simply when a hacker trys to steal your password. In 2020, 81% of data breaches were due to compromised credentials. Because passwords can only contain so many letters and numbers, passwords are becoming less safe. Hackers know that many passwords are poorly designed, so password attacks will remain a method of attack as long as passwords are being used. Protect yourself from password attacks with the information below.
Phishing is when a hacker posing as a trustworthy party sends you a fraudulent email, hoping you will reveal your personal information voluntarily. Sometimes they lead you to fake "reset your password" screens; other times, the links install malicious code on your device. We highlight several examples on the OneLogin blog. Here are a few examples of phishing:
To avoid phishing attacks, follow these steps:
Man-in-the middle (MitM) attacks are when a hacker or compromised system sits in between two uncompromised people or systems and deciphers the information they're passing to each other, including passwords. If Alice and Bob are passing notes in class, but Jeremy has to relay those notes, Jeremy has the opportunity to be the man in the middle. Similarly, in 2017, Equifax removed its apps from the App Store and Google Play store because they were passing sensitive data over insecure channels where hackers could have stolen customer information. To help prevent man-in-the-middle attacks:
If a password is equivalent to using a key to open a door, a brute force attack is using a battering ram. A hacker can try 2.18 trillion password/username combinations in 22 seconds, and if your password is simple, your account could be in the crosshairs. To help prevent brute force attacks:
A type of brute force attack, dictionary attacks rely on our habit of picking "basic" words as our password, the most common of which hackers have collated into "cracking dictionaries." More sophisticated dictionary attacks incorporate words that are personally important to you, like a birthplace, child's name, or pet's name. To help prevent a dictionary attack:
If you've suffered a hack in the past, you know that your old passwords were likely leaked onto a disreputable website. Credential stuffing takes advantage of accounts that never had their passwords changed after an account break-in. Hackers will try various combinations of former usernames and passwords, hoping the victim never changed them. To help prevent credential stuffing:
Keyloggers are a type of malicious software designed to track every keystroke and report it back to a hacker. Typically, a user will download the software believing it to be legitimate, only for it to install a keylogger without notice. To protect yourself from keyloggers:
The best way to fix a password attack is to avoid one in the first place. Ask your IT professional about proactively investing in a common security policy that includes:
|