Access management and authentication may be evolving, but passwords aren’t going to disappear any time soon. An estimated 300 billion passwords will still exist by 2020, making proper password management a must for businesses of all sizes.
Robust password management strategies aid in safeguarding user accounts against common password attacks. Hackers use a variety of methods to obtain password information, and businesses without proper security in place are at risk for devastating and expensive breaches.
7 Password Attacks Hackers are Using Now
A password attack is any means by which a hacker attempts to obtain a user’s login information. The approach doesn’t have to be sophisticated. In many cases, passwords can simply be guessed after trying a few common phrases, such as “password,” which ranks high on the list as a password of choice among users. The rest of the time, hackers may rely on one of the following attack methods.
In a brute force attack, hackers literally attempt to “beat down the doors” of user accounts by employing a computer program to quickly run through as many number and letter combinations as possible. Some attacks begin by trying common passwords and move on to more complicated phrases; others methodically try every conceivable password combination until the correct one is found.
Using a base “dictionary” of likely passwords, hackers attempt to log into one or more user accounts on a network. The only reason this kind of attack works is because users continue to rely on easy-to-guess words for their login credentials, making the job of password cracking simple for malicious third parties. If hackers gain access to one account, they may be able to glean information allowing them to access other user accounts.
Credential stuffing attacks prove the dangers of re-using the same credentials for numerous accounts. Even after passwords and other details are reset following a breach, hackers may attempt to use previously stolen credentials to obtain access to users’ accounts on other platforms. Hackers also sell lists of stolen passwords to each other, which can result in widespread malicious activity and increase breach risk across networks.
Phishing remains the number one social engineering method used by hackers. Employees receive apparently legitimate messages from someone else in the company, often with a link to click, a file to download or a request for login information. Responding to these emails results in either malware being installed on the network or credentials being stolen. Hackers may also try offline techniques, such as making phone calls and posing as someone from the IT department asking for password information to help fix a technical problem.
Data traveling across networks is vulnerable to the packet sniffers hackers use to monitor and log traffic. Any password data the sniffers obtain could potentially allow for unauthorized network access. In some cases, hackers can use additional tools to decipher encrypted passwords, thus undermining the usefulness of encryption as a security tool.
Instead of trying multiple passwords to access a single account, password spraying attacks involve using common passwords to attempt logins across numerous accounts. It’s a slow, steady attack method, which allows hackers to work around the account lockouts normally triggered after repeated failed logins. Password spraying is becoming more common and is often used to target single sign-on (SSO) accounts, cloud-based applications and email accounts. By targeting these specific areas, hackers can obtain more widespread access to networks and compromise or steal a greater amount of data.
Hashing passwords is generally recognized as a reliable security practice, but rainbow table attacks threaten its effectiveness. Using compilations of hash values for known algorithms, hackers are able to systematically work through all possible hashes until the correct one is found. This requires a significant amount of computing power and isn’t guaranteed to succeed in cracking hashed passwords, but its existence should alert businesses to the danger of relying on any single technique for maintaining password security.
Password Management Best Practices
Because businesses can’t predict which attacks hackers may use to obtain credentials, practicing smart password management across the board is the strongest defense against unauthorized network access. Best practices for protecting passwords include:
• Demonstrating and enforcing strong password creation
• Implementing the use of password managers
• Establishing a VPN for remote network access
• Using privileged access management (PAM) software to automate password security
• Educating employees on the characteristics of social engineering schemes
• Switching to an SSO option with multi-factor authentication (MFA)
• Authenticating logins through an app installed on users’ devices
These best practices provide protection against common password attacks and equip users to identify potentially malicious attacks and actions. Continual monitoring of network activity and attack trends can reveal emerging threats, guiding businesses toward better access management tools as new technology becomes available.