Top Password Assult and how to protect yourself

Passwords are without a doubt one of the weakest links in many organizations’ overall cybersecurity. Unfortunately, passwords are continuously under attack because they are one of the easiest ways for hackers to gain access to your system. Let’s look at the top 10 password assaults and see what your business can do to prevent them to better understand how to safeguard passwords in your environment from attacks.

The ten most common password assaults, as well as mitigations that businesses can apply to avoid network intrusion and the loss of business-critical data, are listed below.

  • Brute-force attempts
  • Dictionary Attacks
  • Password Spray attack
  • Credential spoofing
  • Phishing attempts
  • Keylogger Attack methods
  • Social Engineering hacks
  • Password Resetting
  • Plain old theft
  • Reusing Passwords 

1. Brute-Force Attacks are the first type of attack.

A brute-force attack is a type of password attack in which hackers attempt to obtain access to a network in large numbers using massive databases of popular or hacked passwords. Using today’s high-powered CPU power, even a “gaming” class computer can “guess” billions of passwords per second. It goes out of its way to “force” guess passwords for real user accounts.

Account lockouts, password length & passphrases more than 20 characters, blocking of incremental passwords and frequent patterns, compromised password protection, bespoke dictionaries, and MFA are all ways to prevent brute-force attacks.

An example of a real-world brute force attack: In five days, attackers gained illegal access to the accounts of 19715 users and stole money.

2. Dictionary Attacks

A dictionary attack, like a dictionary, is a brute-force hacking approach that employs massive databases of common passwords as its source. It is used to hack into password-protected assets by entering every word in a dictionary, including variations such as leetspeak, as well as previously disclosed passwords or key phrases. Hackers, for example, are aware that users frequently utilize numbers and characters to substitute orthography for words. P@$w0rd is an example of a password.

Password length/passwords larger than 20 characters, blocking incremental/common patterns, compromised password protection, custom dictionary, MFA are all preventative measures.

On January 4th, 2009, a hacker identified only as GMZ used a dictionary attack to compromise an administrator account and subsequently change the passwords of well-known accounts, including that of President-elect Barack Obama, Britney Spears, and others.

3. Password Spray attack

By attempting one or two common passwords across multiple accounts, services, and organizations, a password spraying assault prevents discovery or lockout on a single account. This method is used by attackers to get around the account lockout barrier, which is generally set at three to five incorrect tries in many businesses.

The attacker can successfully try multiple passwords across the organization without being prevented by Active Directory’s default defensive features by attempting one password fewer than the lockout threshold. The attacker chooses common end-user passwords, uses mathematical formulas to guess passwords, or uses hacked passwords that have already been revealed in public password dumps.

Password length/passwords larger than 20 characters, blocking incremental/common patterns, compromised password protection, custom dictionary, MFA are all preventative measures.

Password spraying assaults by state-sponsored hackers and cybercriminals are on the rise, according to Microsoft.

4. Credential spoofing

Credential stuffing is a type of automated attack in which stolen usernames and password combinations are used to break into a system. The credentials could have been scraped from big databases of real compromised accounts and passwords that are (sadly) widely accessible for purchase on the internet. Credential stuffers are responsible for more than 90% of all login traffic on several of the world’s major websites, as well as a slew of second-hand data breaches, with a success rate of up to 2%.

Block incremental/common patterns, compromised password protection/custom dictionary, MFA, and account lockout are all preventative measures.

An investigation by the New York Attorney General revealed 1.1 million hacked accounts that were utilized for credential stuffing against 17 internet companies.

5. Phishing attempts

Phishing is a time-honored technique that has been employed for decades. Regardless of its antiquity, though, it is still incredibly effective. Phishing attacks are typically carried out via email and aim to trick people into performing actions or exposing private information. Attackers, for example, pose as reputable businesses or services to trick users into divulging account information.

Other phishing emails employ “scare tactics with haste” to persuade consumers to hand over personal information immediately. “Urgent, your account has been breached,” for example, may be sent in an email. Attackers use users’ emotions to compel them to reveal information they thought they were protecting. Cybercriminals can use these phishing strategies to mislead end users into giving up their business credentials in organizations that use personal devices.

Cybersecurity awareness training, multi-factor authentication, email banner configuration, and mail server configuration are all phases in the prevention process (DKIM, SPF, etc.)

More than 100 terabytes of firm data, including newly published files, financial records, and customer data, were taken as a result of a series of spear-phishing emails sent to Sony personnel.

6. Keylogger Attack Methods

A keylogger assault is used to record sensitive data, such as account information entered into a computer. Both software and hardware can be involved. Spyware, for example, can capture keystrokes in order to steal sensitive information such as passwords and credit card details. If an attacker obtains physical access to a computer, he or she can position a physical hardware device in front of the keyboard to capture keystrokes.

Awareness training, up-to-date malware protection, malicious URL protection, multi-factor authentication, blocking unrecognized USB devices, password managers, and secure physical access to business-critical environments are all steps in the prevention process.

Snake Keylogger, according to Check Point Research, has entered the index for the first time, taking second place.

7. Social Engineering hacks

Phishing, vishing, social media, baiting, and tailgating are examples of malicious behaviors used to deceive people into doing actions or exposing personal information. Phishing assaults, for example, are a type of social engineering in which attackers use deception to deceive you into giving them sensitive information like passwords, bank account information, or control of your computer or mobile device.

In general, social engineering aims to take advantage of human nature’s innate tendencies. An attacker can usually mislead you into giving them your password information much simpler than they can crack a password using other methods.

Awareness training, secure MFA methods, e.g., not hidden questions, are all steps in the prevention process.

Two distinct phishing emails induced employees to open an Excel document to install a backdoor in the famous 2011 RSA SecurID social engineering hack. It resulted in the theft of RSA SecurID tokens.

8. Password Resetting

Calling the service desk, pretending to be someone else, and asking a new password is a classic social engineering strategy for gaining access to a network. Instead of trying to guess or crack the new password, the hacker merely needs to persuade the service desk workers to provide it to them. It is particularly dangerous in larger firms because the helpdesk personnel may not know all of the employees personally. It’s also grown increasingly popular as the workforce shifts to a hybrid or fully remote model, because end user identification isn’t as easy as saying hello in person.

Self-service password reset (SSPR) using MFA, verification / MFA at the help desk, awareness training
Several research have proven that the password reset MitM attack is very easy and effective.

9. Plain old Theft

Passwords are frequently written down, which is both common and dangerous. A simple “post-it note with the master password” pinned to the monitor can quickly become a full-fledged cybersecurity compromise. Enforcing password complexity can lead to users writing them down. Passwords are a superior choice for remembering passwords that don’t need to be written down or exposed to inquisitive eyes. Use a password manager if your end users are juggling many passwords for business-critical systems. Post-it notes on a computer screen or desk are a no-no.

Awareness training, passwords, and the usage of password managers are all preventative measures.
Writing down passwords in a place where others may quickly find them is never a smart idea, and it’s something that most security best practice suggestions warn against.

10. Password Resetting

According to research, over 70% of employees repeat passwords at work. Your network is exposed to account if you share passwords between personal and corporate accounts. If that hobbyist forum you signed up for is hacked, and you use the same password in a corporate account, your password will end up on the dark web, exposing corporate systems.

Awareness training, passphrases, password managers, compromised password protection, custom dictionary, gradual blocking, and everyday patterns are all steps in the prevention process.

Passwords are without a doubt one of the weakest links in many organizations’ overall cybersecurity. Unfortunately, passwords are continuously under attack because they are one of the easiest ways for hackers to gain access to your system. Let’s look at the top 10 password assaults and see what your business can do to prevent them to better understand how to safeguard passwords in your environment from attacks.

We hope this helped breakdown some of the common password attack. 

Need more information? Give us a call at 818-579-7370 or email us at info@tvgconsulting.com