According to Verizon’s Data Breach Investigations Report of 2021, passwords caused 89% of web application breaches, and 61% of breaches overall included credential data. These statistics demonstrate that password attacks are one of the most common forms of data breaches.
As the name suggests, a password attack is when a hacker cracks a user’s password or login credentials to access their data.
Most individuals have hundreds of personal and business accounts online. With all that information to keep track of and remember, users tend to reuse the same weak login credentials across multiple accounts.
Reused passwords put users and businesses at serious risk because if one account is compromised, a hacker can easily break into others.
So, while passwords may seem like a minor issue, they are a great place to start improving your cybersecurity and protecting your company’s data. Below we listed common password-related attacks and ways to prevent them.
6 Common Types of Password Attacks
To protect your business and employees, you need to know what threats you are facing. Here are six types of password attacks.
According to Proofpoint's studies, 74% of US organizations experienced a successful phishing attack in 2020. Their research found that, of the successful phishing attacks, 52% resulted in compromised credentials.
Most businesses and consumers are familiar with phishing attacks since the threats to large companies often make it into the news. For example, Expert Insights reported the most notable password breaches of 2020, where organizations such as Marriott, Nintendo, Zoom, Magellan Health, and Twitter fell victim.
The fundamental difference between phishing and other cybersecurity threats is that it relies on human error to work. A phishing attack is when a hacker sends a fraudulent email posing as a legitimate source–like a bank or delivery service–with the intent to receive sensitive information.
The emails typically ask the user to perform a specific action, such as resetting their password or entering credentials to verify their identity and unlock their account. When the user clicks on the link and enters the information, the hacker then has the necessary credentials to access any data within that account.
As we mentioned before, if the user reused that password, the hacker would have access to all accounts sharing that same credential, putting the user and their business at greater risk.
2. Credential Stuffing
Remembering all your usernames, passwords, security questions, and other login information for potentially hundreds of accounts is quite frankly hard. Hackers take advantage of this through what’s called a credential stuffing attack.
Credential stuffing threats operate on the assumption that people reuse their passwords. Attackers try different combinations of stolen usernames and passwords to access the account where the user has reused an already compromised password.
Hackers reuse the passwords they’ve already stolen or acquire lists of stolen passwords through the Dark Web. So, with this type of password attack, there’s already been a breach. The hackers currently possess login credentials and are now seizing any data they can get their hands on.
3. Brute Force
Brute force attacks are one of the easiest for cybercriminals to perform. In a brute force attack, the hacker uses a program to try all possible character combinations of a password, credential, or PIN until they get it right. The process takes a long time due to the seemingly endless possibilities, so they start simple with common and short passwords.
If the attackers know the password requirements for the account they are attempting to access, such as a minimum number of letters and characters, they can apply those filters into the software program. Cybercriminals also use brute force attacks to crack encrypted data or investigate a business’s network security.
4. Password Spraying
Password spraying is a form of a brute force attack in which hackers attempt to get into account using commonly used passwords. With this specific attack, the cybercriminals can target thousands up to millions of different users simultaneously.
Since the hacker targets many users and organizations concurrently, they can decrease their risk of being caught by account lockout policies. The attacker will “spray” the same password across all accounts before going back to try the next one and methodically avoid the repeated failed login attempt triggers.
5. Dictionary Attacks
Another variation of brute force attacks is a dictionary attack. This type tries to crack passwords using simple words and phrases instead of the character-by-character approach of the conventional brute force attacks.
While basic words or phrases might help you and your employees remember logins later, they also make a hacker’s job that much easier. Dictionary attacks not only utilize variations of commonly used words but also find personalized words for specific users.
Consumers share personal information online, such as their pets’ names and favorite bands, sports, movies. NordPass released a report of the top 200 most common passwords of the last year and interests like "soccer," "superman," and "starwars," ranked 60th, 88th, and 151st, respectively.
Keyloggers, or keystroke loggers, are software designed to track every keystroke a user makes and report back to the hacker.
To infect the victim’s device with malicious software, the hacker needs to employ a phishing attack, trojan horse, drive-by download, or another type of malware. Once the user has clicked on the link or attachment, the software infects the system without being detected.
Keyloggers note every username, password, PIN, credential, and anything the user types. The hacker may receive personal information to answer security questions, credit card details, and potentially SSNs.
How to Prevent Password Attacks
The best way to combat these attacks is to make strong, complex passwords for all your accounts.
Here are 11 tips on how to prevent password attacks:
- Avoid using personal details in your passwords such as phone numbers, addresses, birthdays, SSNs, your name, kids’ names, family members’ names, or pets’ names
- Never use generic passwords like “12345” or “password”
- Never use common phrases or words; if you do want to use one, alter it to include various numbers and characters
- Make your passwords eight or more characters in length
- Use a combination of uppercase and lowercase letters, numbers, and symbols
- Use two-factor or multi-factor authentication when you can
- Create unique passwords for every account
- Don’t share your passwords with anyone
- Change your passwords a few times each year
- Educate employees and other stakeholders on password security
- Employ password manager programs to help you and your employees create strong passwords
Passwords are the key to your business, systems, data, employees, customers, and any sensitive information. Implementing password best practices and requirements can boost security and reduce risk for your company.
Nicolet Tech can help you combat all cybersecurity threats. Contact our team of professionals today.