Cybersecurity is becoming a pressing issue for IT professionals in all fields. There are headlines every week about data breaches of all sizes and the attacks themselves come from many angles. This article details the password attack methods hackers frequently used against enterprises and provides solutions as to how your business can prevent damage or breaches.
1. Dictionary Attacks
A dictionary attack is a type of brute-force attack that allows hackers to employ a program that cycles through common words to guess a password. Hackers often use this attack method to try possibilities based on human psychology. For example, many of the passwords people use are either related to their personal life (examples might include names, birthdays, or locations) or are just common words that people have chosen.
Many people tend to choose a single special word and then make small variations on it. Hackers know this, so they use a dictionary attack that starts with those common words and the most likely iterations, like adding numbers at the end, or replacing letters with similar characters.
For example, the password ‘loveyou’ would be easily guessed, along with variations such as ‘l0veyou’ or ‘loveyou!’.
You can read more about dictionary attacks and cracking dictionaries here.
2. Rainbow Table Attacks
Enterprises with standing password security policies can, wisely, choose to hash their user’s passwords.
Briefly, hashing refers to the process of converting user’s passwords into random-seeming strings of characters to prevent them from being easily stolen and used for nefarious purposes. In other words, a user’s password is taken, and then by using a set algorithm known to the site, the hash value is derived from the combination of both the password and the key. The hash value is what is actually stored by the site. Then, to verify a user’s password is correct, it is hashed, and the value is compared with that stored on record each time the user logs in.
Hashing is a strong security measure that many enterprises should take. Hashing your passwords could mean the difference between a financially devastating data breach and a worrying but fixable problem. However, it’s not failsafe, due to what’s known as the rainbow table attack method.
A ‘Rainbow table’ compiles a precomputed list of plaintext passwords and their corresponding hashes. It’s essentially an answer key, that has the mathematical answers for all possible password combinations for common hash algorithms.
3. Credential Stuffing
The two password attack methods above start from the place of a hacker not knowing the user’s password. However, over years of data breaches and poor security, there are now many lists of user credentials available–for free as well as for sale–on the deep and dark web. One of the most devastating effects of previous breaches is the chain-reaction set of events, which is proliferated by credential stuffing attacks.
In a credential stuffing attack, hackers use lists of stolen usernames and passwords in combination on various accounts. They may build a program that tries over and over again, automatically, until they hit a match and can access an account that doesn’t belong to them.
As seen in other attack methods, credential stuffing relies on people’s tendency to reuse their passwords for multiple accounts.
4. Password Spraying
Password spraying relies on trying a few, commonly used passwords against a large number of accounts. Threat actors might ‘spray’ thousands or millions of accounts with a couple of common passwords because they can often rightly assume that there’s likely to be one person using a common password within a large group of people.
Most brute force methods focus on a singular account and many password guesses. By contrast, password spraying expands the potential targets exponentially. Spraying allows hackers to attempt to gain access without triggering account lockout policies. As a result, this strategy can be a more effective, albeit slower, approach than targeting specific users.
As you learn more about these attack methods, bear in mind that hackers often embrace multiple strategies. The password attack processes listed above can be hybridized in unique approaches.
How to Prevent Password Attack Methods
1. Get With It
First, if they haven’t already, your enterprise needs to face facts: old school password policies are leaving organizations incredibly vulnerable to password attack methods.
2. Use Available Technology
Consider using multifactor authentication (MFA). Multifactor authentication puts different layers of identity security on each account, meaning that if a threat actor is attempting to break into an account, there is an additional step that could prevent their accessing it.
3. Make Strong Passwords
Another option is to harden the password layer. There are many easy steps that organizations can engage with, but writing new password policies will cover many of the needed steps, as well as encourage organizations to comply with NIST guidelines.
4. Screen Against a Blacklist
One of the most effective and immediate solutions is for companies to screen their user accounts for compromised credentials against a blacklist. Enzoic can work with your enterprise to create an expansive custom blacklist, against which your employees can check the safety of their passwords on an ongoing basis.
5. Constant Vigilance!
The world of cybersecurity is always changing. Stay engaged and don’t be frightened by news of more breaches. Instead, double down and stay safe!