The top 8 password attacks and how to defend against them

Did you know that the very first password attack happened in 1962? At that time, MIT's CTSS (Compatible Time-Sharing System) was the first to utilize passwords for granting individual access. Allen Scherr, a Ph.D. researcher, wanted to use the CTSS beyond his allocated weekly hours. In order to extend his usage time, he decided to borrow passwords from other people. Scherr managed to obtain all the passwords stored in the CTSS system by submitting a request to print the password files using a punched card.

Nowadays, password attacks have become one of the most significant concerns for both companies and civilians. The Verizon Data Breach Investigations Report has stated that more than 80 percent of web application breaches were due to password-related issues.

With the average person juggling around 100 passwords, it is no wonder that individuals often resort to reusing the same passwords for multiple accounts or creating simple passwords that include easily remembered personal details. This situation presents a veritable playground for hackers as passwords are commonly the sole obstacle preventing unauthorized access to confidential data or accounts.

Since password attacks are a persistent problem, below is a list of the most prevalent types of attacks you may encounter and how to guard against them.

Password attack types

1. Simple brute-force attack

A simple brute-force attack is a method employed by attackers to crack passwords by systematically trying every possible combination of characters. This attack can be laborious and resource-intensive, as it involves going through all possible character permutations until the correct password is identified. 

2. Password spraying

A password spraying attack is a technique attackers use to gain unauthorized access to multiple accounts by attempting a limited number of commonly used passwords across a broad range of usernames. Unlike a brute-force attack, which targets a single account with numerous password combinations, password spraying tries popular passwords across many accounts, reducing the likelihood of triggering account lockouts.

3. Keylogger attack

This type of attack can be executed either by installing malicious software on the user's device or by using a physical keylogging device connected to the computer. As the user types in their username and password, the keylogger secretly captures the keystroke data, which the attacker can later retrieve and exploit to gain unauthorized access to the victim's accounts.

4. Credential stuffing 

A credential stuffing attack is a technique in which attackers exploit previously leaked or stolen login credentials to attempt unauthorized access to various accounts. This method relies on the assumption that users often reuse the same usernames and passwords across multiple platforms. By utilizing automated scripts or bots, attackers systematically input the compromised credentials across numerous websites and services, seeking a successful match.

5. Rainbow table attack

During a rainbow table attack, hackers try to crack hashed passwords by leveraging precomputed tables of hash values for possible password combinations. Hashing is a cryptographic method that converts plaintext passwords into a fixed-length, unique string of characters, providing a layer of security. A rainbow table attack allows attackers to bypass this by matching the hashed password with its corresponding plaintext password from the precomputed tables.

6. Social engineering

Social engineering is a manipulative tactic cybercriminals employ to deceive individuals into revealing sensitive information, such as passwords. By exploiting human psychology and trust, attackers pose as legitimate entities or authorities, persuading victims to disclose personal data or grant unauthorized access, often through phishing, vishing, baiting, and tailgating.

In most cases, it is far simpler for an attacker to deceive you into revealing your password than to crack it using technical methods.

7. Man-in-the-Middle attack

A Man-in-the-Middle (MitM) traffic interception attack occurs when a hacker intercepts communication between two parties. By positioning themselves between the sender and receiver, the attacker can eavesdrop, manipulate, or steal sensitive data, such as passwords. Hackers can employ various techniques, including ARP spoofing, DNS hijacking and SSL hijacking, to insert themselves into the communication stream, thus gaining access to the transmitted information without the victim's knowledge. Typically, these attacks find their way through unsecured Wi-Fi networks or connections lacking encryption.

8. Physical password theft

Requiring complex passwords can tempt users to write them down. Thieves may physically steal passwords by rummaging through desks, snapping pictures of notes, or casually observing password reminders in an office environment. This old-fashioned method of password theft remains a threat in the digital age.

How to protect against password attacks

With countless stolen credentials accessible on the dark web and numerous security reports revealing common passwords, cyber criminals do not need to exert much effort to hack you.

Hackers typically seek easy access for the best return on investment. If they do not achieve results quickly, they will shift to alternative cyber attack methods to infiltrate a system. So, not just on World Password Day but every day, commit to securing your accounts by following the advice below:

Asset-level security measures for admins  

• Provide cyber security awareness training to educate employees on safe digital habits. Foster a security culture, encouraging prompt reporting and periodic reinforcement of best practices.
• Create password rules prohibiting easy-to-guess passwords, such as incremental patterns or previously breached passwords. Require a combination of numbers, special characters, and upper and lowercase letters in passwords. Set a minimum password length of 14 characters or longer for added security. Block users from reusing their previous username and password combinations.
• Account lockout should happen after a set number of failed login attempts, suspicious activity, prolonged account inactivity, or evidence of a security breach. Consider creating a blocking algorithm based on other metrics like source IP address, user agent, or cookie value. Consider implementing a time delay between login attempts.
• Provide multi-factor authentication (MFA) as an option for users.
• Add CAPTCHA to the login process to increase the time it takes for password attacks and verify that login attempts are made by humans, reducing bot access.
• Consider using multiple secret questions that are not standard. Ensure that the answers to the questions are not easily guessable or publicly available. It is recommended to periodically update the secret questions.
• Implement secure self-service password reset (SSPR) practices. This includes verifying user identity, using verified contacts, limiting attempts, and encrypting the reset process with SSL/TLS.
• Implement extended detection and response. XDR provides a centralized platform for monitoring and responding to security threats across multiple endpoints. Using XDR, you can improve visibility and quickly detect potential password-related attacks.
• Consider switching to passwordless authentication. Here is a list of some common methods:  
  - Biometric authentication: fingerprints, face or voice recognition.
  - Security tokens: hardware - tokens or one-time passwords generated by a mobile app.
  - Public key cryptography: digital certificates/smart cards.
  - Single sign-on (SSO) via social media accounts or other third-party providers.
  - Magic links or URLs: links that grant access to the account without a password.
• Use a password management solution. Password management solutions offer a centralized platform to store, generate, and organize user credentials securely.
• Enforce the practice of regularly changing passwords. The longer a password remains the same, the more vulnerable it becomes to hacking attempts. Additionally, it is crucial to mandate password changes after every data breach.
• Use salting to increase the difficulty for attackers attempting to crack passwords using rainbow tables.
• Use a digital loss prevention (DLP) solution. DLP tools mitigate data theft by continuously monitoring and securing sensitive information, including passwords. By employing advanced data classification techniques, DLP systems identify and restrict unauthorized access or transmission of passwords.
• Use a password generator. Password generators produce complex, random passwords.
• Delete inactive accounts. Getting rid of excess accounts shrinks hacker targets and curbs password attack success rates. 
• Consider using IDS/IPS systems. IDS detects password attack patterns, alerting security teams. IPS auto-blocks suspicious login attempts, barring system access.

Individual-level security measures for regular users

• Avoid reusing passwords. If a casual discussion board you have signed up for gets hacked and you use the same password for a corporate account or an online banking app, you could find yourself in serious trouble.
• Do not share passwords.
• Use a password manager.
• Avoid using common passwords consisting of readable words. Instead, create long passwords with a minimum of 14 characters, or consider using passphrases.
• Enable Multi-Factor Authentication (MFA) on all accounts and platforms when available. 
• Use up-to-date malware protection and routinely scan your computer. Ensure that antivirus software is installed on all your devices, including smartphones and tablets.
• Use a virtual private network (VPN). A secure virtual private network helps protect against man-in-the-middle attacks that aim to steal sensitive information, including passwords.
• Monitor your accounts and utilize free services like haveibeenpwned.com to check if your mailboxes are associated with recent data breaches.
• Change your passwords regularly. The longer a password remains unchanged, the more likely a hacker finds a way to crack it.
• Stay informed about cybersecurity trends and learn how to spot phishing attempts. Examine the 'From' line in every email to confirm the sender's identity matches the expected email address. If in doubt, reach out to the supposed sender to verify they sent the message. Be wary of unsolicited requests for personal information, and always verify the identity of anyone asking for your password or sensitive data. Exercise caution when opening links or attachments from unfamiliar sources.
• If available, enable biometric authentication on your devices.
• Utilize a password generator for strong, unique passwords.

Stop hackers gaining access to your passwords

While numerous protective measures are available for both home users and administrators, password attacks often continue to succeed. This is primarily because security can be inconvenient and requires ongoing attention.

Striking a balance between security and convenience is challenging, and many people tend to prioritize convenience over security. However, the potential consequences of losing critical data, facing fines, or even having one's identity stolen serve as strong motivation for both individuals and organizations to prioritize security measures. By taking a few simple and manageable steps, most hackers can be deterred. To enhance protection, consider implementing additional security layers.