How to Protect Yourself Against Common Password Attacks

To avoid password attacks, Authentication and access management may be evolving, but passwords are not going to disappear in the near future. Experts believe that the number of passwords in use will reach 300 billion in 2020. 

Although IT professionals understand the significance of secure passwords, almost 70% of employees share passwords in a non-secure way. In addition to that, more than 50% of corporate employees reuse the same password across all their accounts.   

Solid password management techniques protect user accounts against common password attacks. Attackers use a wide range of methods to access password information. Businesses that do not use proper security measures may face data breaches.

What Is a Password Attack?

A password attack is an attempt to obtain user login information. The hacking technique does not have to be sophisticated. People often think of obvious words and numbers and merge them into a simple password. 

In most cases, hackers can simply guess passwords by trying some common phrases like the user’s name. Unauthenticated attackers can exploit vulnerabilities like the Apache Struts Vulnerability to execute malicious code on remote systems.

An analysis of 10 million people showed that the most common passwords are simply the word “password” or a numerical sequence of “12345”. 8% of these 10 million people used a number between 0 and 99 in their passwords, and one out of five passwords included the number 1. 

Alongside these dire findings, the analysis also found that people are becoming more conscious about creating strong passwords. As a result, hackers need to use more sophisticated password cracking methods.

6 Common Password Cracking Attacks

Most of the password attack techniques are easily accessible online. Any hacker with basic computer skills can follow these techniques to successfully crack passwords. This list reviews the six most common techniques.

1. Brute Force Attack

In a brute force attack, hackers use automated tools like bots to gain access to a user’s account by running through as many password combinations as possible.

Hackers usually obtain lists of commonly used passwords or real user credentials on the dark web or via security breaches.

Brute force bots attack websites by systematically trying all credentials on these lists and notify the attacker when the log is successful.

To protect your organization from brute force hacking use strong passwords and multiple-factor authentication to grant access to accounts.

2. Dictionary Attack

In a dictionary attack, hackers use automatic tools to run through a list of common words and gain access to a user’s account.

This attack has a high success rate because users usually choose short passwords and base them on common words. 

A dictionary attack is different from a brute force attack. Dictionary attacks start with the possibilities that are most likely to succeed, whereas brute force goes letter by letter. After trying common words, the attack adds numbers at the end, as well as replacing letters with numbers.

3. Credential Stuffing

Credential stuffing attacks use data and context from previous breaches to log in to other systems. The attack is based on the assumption that users reuse passwords on different services. 

About one out of 1000 credential stuffing attempts on another system results in a successful login. Even though users create strong passwords, they still share them across services. This technique typically has much higher success rates compared to brute force attacks. 

4. Rainbow table

Most modern organizations use hashing to protect their passwords. The hashing technique uses a mathematical formula to encrypt passwords into random-looking strings.

Hashing is based on the assumption that hackers cannot read encrypted passwords. As secure as this sounds, hashing does not always work.

One approach to hack encrypted passwords is a rainbow table attack. This attack hashes all dictionary words and cross-references them with the actual hashed passwords. If there is a match, this is probably the correct password.

5. Password Spraying

Hackers use password spraying attacks to gain access to multiple accounts with a few password options, instead of trying to access a single account with multiple passwords.

Password spraying drastically expands the potential targets. Your whole business may be at risk even if only one user has a weak password.  

Password spraying is a slow and steady attack method. Hackers prefer to attack methodically by trying different passwords from account to account.

As a result, hackers can work around the account lockout detection mechanism that is triggered after repetitive failed attempts. Password spraying is especially dangerous for cloud-based authentication platform or sign-on services.

6. Man-in-the-middle attack

When you use a remote application on the Internet, you assume that you are communicating directly with the app’s server.

The man-in-the-middle attack breaks this assumption by placing hackers between the user and the target server.

Hackers intercept the traffic between your device and the server to steal credentials and other sensitive data.

Hackers usually execute man-in-the-middle attacks on unencrypted Wi-Fi networks like restaurants, airports, and hotels. Hackers can easily use widely available tools to spy on your Internet traffic when you surf on public Wi-Fi.

How To Protect Yourself?

Basic awareness of common threats and robust cybersecurity measures can help you prevent common password attacks. Take a look at some basic measures you need to take to stay safe:

  • Requiring strong passwords—you can force users to define long and complex passwords with a password generator tool like LastPass. You should also enforce periodical password changes.
  • Login delays—you can lockout user accounts for a specific period of time after failed attempts. Each attempt makes the delay longer. 
  • Lockout rules—you can lock user accounts after several unsuccessful login attempts and then unlock the account as the administrator. 
  • Captcha—tools like reCAPTCHA require users to complete simple tasks to log into a system. Users can easily complete these tasks while brute force bots cannot.

Conclusion

Passwords are still a common way to protect your online accounts. However, today they are facing many security challenges compared to when they were first introduced by Fernando Corbató. 

Securing your account with a common dictionary word is not enough. Hackers can leverage different widespread tools like Kali Linux to crack most, if not all, passwords. The good news is that basic awareness and cybersecurity measures like multi-factor authentication can protect you from most password-stealing attacks.