10 password-related cyberattacks your company should be aware of
Most companies protect their devices and accounts with passwords, making these jumbles of letters and numbers the first line of defense against unauthorized access. While undeniably important, passwords often give people a false sense of security because they view them as unbreachable. This naivete can result in vulnerabilities cybercriminals are ready to exploit. If bad actors do access a user’s password, they can easily compromise devices and data, leading to potentially devastating consequences.
Given that managed services providers (MSPs) hold the keys to their customers’ sensitive information, they are often blamed for security breaches—even when the MSP is not at fault. So it is critical for MSPs to be familiar with the most common password-related cyberattacks. By understanding some of the cybercriminals’ methods, MSPs can take steps to prevent these attacks and keep their customers’ data secure.
Common password-related cyberattacks that your company should be aware of
While companies don’t need to memorize every possible attack scenario, MSPs should be well-versed in the most common password-related risks and attack types. These can include:
1. Unauthorized use by an ex-employee
When people talk about password-related cyberattacks, they often focus on attacks by third-party bad actors. While those attacks can be disastrous (in fact, they make up the rest of this list), attacks from inside your organization can be equally damaging.
When you don’t regularly change passwords and have an established process for removing employees’ access after they leave the company—whether by choice or not—you open yourself up to the possibility of a disgruntled ex-employee using his or her unauthorized access for a cyberattack. This scenario played out at Cisco, where an ex-employee accessed Cisco’s cloud infrastructure several months after resigning from his position and deleted 456 virtual machines stored in the cloud. While fortunately no customer data was lost, the attack still cost Cisco over $2,400,000 in customer refunds—and in employee time needed to restore the damage.
The best way to prevent these attacks is with a secure password manager that makes it easy to stay on top of the appropriate granular access for all of your passwords. For instance, a good password manager can help automatically remove an employee’s access to the company’s network and data as soon as the employee leaves.
2. Phishing and social engineering
Social engineering attacks involve manipulating users into voluntarily giving up personal information. In a phishing attack, a cybercriminal disguises an email to make it seem like it comes from a legitimate, trusted source. The email will likely include a link asking the user to reset their password or check account information. That link will typically lead to a page designed to look authentic and trick an unsuspecting user into sharing their account information with a cybercriminal.
The best way to prevent phishing attacks is to educate yourself and your employees about the telltale signs of social engineering, including grammatical issues, nonstandard URLs, demands to act quickly, and nonstandard company graphics. If any of these are present, someone might be trying to steal your password.
3. Trojan horse
In a Trojan horse attack, malware is disguised as a harmless link or as legitimate software and is shared with users in hopes that they will download it. Similar to a phishing attack, this malware is often hidden within a falsified website, a misleading email, or even a fake advertisement. Once the malware is downloaded, the cybercriminal will often be able to access the user’s password and other sensitive information. As with phishing and other social engineering attacks, the best way to prevent a Trojan horse is through education. Seeking out security awareness training for your employees is a great place to start.
4. Brute force attack
This attack is based on probability. As the name suggests, it involves determining a user’s password through brute force, beginning with weak, commonly used passwords (like Password1234)—often guessing the password letter by letter. A hacker typically uses software to randomly test millions of passwords against a website until the right one is determined and the cybercriminal is able to access an account. Once they’ve cracked an account password, hackers can potentially access a huge amount of company data.
By making company passwords more complex, you can reduce the likelihood of a hacker successfully committing a brute force attack. Additional security measures like CAPTCHA tests and setting a specific number of password attempts can also help prevent bots from unleashing brute force attacks on your accounts.
5. Dictionary attack
This attack is a slightly more complex version of a brute force attack. A dictionary attack takes advantage of the fact that people tend to use common words and ignore password best practices. In a dictionary attack, the cybercriminal uses a list of highly probable words, word combinations, and credentials gained from earlier data breaches. This list will then be used to test a variety of possible passwords (often with numbers before or after the words) until they get it right.
6. Rainbow table attack
These attacks are another step up from brute force and dictionary attacks. Rainbow table attacks work to reverse the password encryption often performed by MSPs to prevent access via malware and other attack vectors.
The most common way to encrypt passwords is through hashing—a one-way encryption process with no single formula to reverse encrypted data. Rainbow tables are tools that run many possible hashing combinations to unencrypt hashed data. The best way to prevent rainbow table attacks is by “salting” your hash using a function that adds random characters to the encrypted data to throw off hackers.
7. Keylogger attack
In a keylogger attack, the cybercriminal installs software that tracks the user’s keystrokes. By keeping a record of everything a user types, keylogging gives a hacker employees’ usernames and passwords—no matter how complex—as well as which app or website a given set of credentials are for. Because a keylogger attack is a type of malware attack, it usually relies on users falling victim to a different attack first, like a phishing attack that successfully gets them to download malware when they click a disguised link.
8. Traffic interception
In this attack, cybercriminals use software, like packet sniffers, to monitor your network traffic and capture passwords as they travel along the network. The process is similar to tapping a phone line or eavesdropping in that it monitors and captures critical information you believed was private. Traffic interception can be used for both encrypted and unencrypted passwords, though encrypted passwords will be much more difficult for the hacker to crack.
9. Credential stuffing
Credential stuffing demonstrates the ways a single data breach can have long-lasting repercussions. In this attack, a cybercriminal takes previously breached data from one service (like a social media platform) and uses it to attack another (like a business or a bank). If hackers do this en masse, they’ll probably eventually find a match and use those credentials to jump to other accounts.
Credential stuffing only works if users duplicate passwords across multiple accounts. That means the best way to prevent this type of attack is by ensuring your employees have unique passwords for all of their company accounts.
10. Third-party attack
Also called a supply-chain attack, a third-party attack is when a cybercriminal gets access to your system through an outside provider, vendor, or partner who has access to your data. Given that MSPs often hold the key to many of their customers’ systems, third parties frequently target them so they can access multiple organizations at once.
As with many of the attacks listed above, the best way to prevent third-party attacks is by using a safe, reliable password manager that helps ensure a hacker can’t gain access to your encrypted master vault.
How to avoid password-related cyberattacks
Given that passwords remain the most vulnerable entry vector for cybercriminals looking to exploit a company’s data, MSPs need to take concrete steps to keep themselves—and their customers—secure. The most critical step is standardizing and enforcing higher credential security standards. That means eliminating password reuse, preventing common passwords and passphrases, and ensuring former employees lose access as soon as they leave the company.
To make it easier to enforce the continuous use of safe credentials, MSPs should invest in a centralized password management solution like N-able™ Passportal™. Passportal is an enterprise-grade password manager that can help you automatically generate and store complex passwords to keep data secure. In addition to strong password generation, multifactor authentication measures, and the option to offer automated password resets to your customers,
Passportal also supports granular access control to ensure that only authorized personnel can access the most sensitive information.
For MSPs looking to help their customers avoid password-related cyberattacks, a cloud-based password manager like Passportal is the perfect solution to keep credentials secure and prevent a potentially devastating breach.