The most popular password cyberattacks that your business should be aware of
Passwords are your first line of defense against unauthorized access, and most (if not all) of our personal devices and accounts are protected by them. Unfortunately, many people assume that simply having a password in place is enough to safeguard their sensitive information. According to a recent survey conducted in honor of World Password Day, some of the most common passwords of 2020 were “123456,” “iloveyou,” and “Password1.” What’s more, many people overestimate the security improvements offered by adding a number here and a special character there to their otherwise simple passwords.
Since such vulnerable passwords are also the most common, it’s no surprise that password-related cyberattacks remain an incredibly popular approach among bad actors. The 2019 Verizon Data Breach Investigations Report (DBIR) found that 80% of hacking-related breaches involved compromised, weak, or reused passwords—a high percentage that has held steady since 2017. Similarly, password dump attacks, cyberattacks in which a hacker dumps a business’ usernames and passwords online, are up 4.2% from 2019. With troubling statistics like these, managed services providers (MSPs) must stay vigilant and keep up with the latest password-related attack vectors to protect their data and their customers. Here are the five most popular password cyberattacks that your business should be aware of.
Top five password cyberattacks
Today’s cybercriminals are smart and increasingly sophisticated, meaning they often use hybrid methods and tweak known password attack vectors to make them unique and harder to spot. You don’t have to memorize every possible attack scenario, but you should be well-versed in the most common approaches to spot potentially suspicious activity.
The most common way for hackers to gain access to your personal accounts is simply to ask for your passwords. Social engineering attacks are cyberattacks that manipulate their targets into voluntarily giving up personal information by preying on human nature. During a spear phishing attack, for example, a hacker will use personal information gathered about a target and disguise their malicious email as a message from a legitimate source. They might ask the user to click on a link to check account information or reset their password. Some hackers also add a subtle but urgent threat to their messages, like the prospect of account cancellation, to push the target into acting quickly without considering the legitimacy of the email.
Unfortunately, social engineering attacks pay off for most cybercriminals—a CyberEdge report found they were successful 79% of the time. Because phishing takes advantage of human nature, the best way to help prevent phishing is to educate end users about social engineering attacks and learn the hallmarks of a phishing email. Not all phishing emails look the same, but here are a few classic signs to look out for:
- Grammatical errors throughout the message
- Demands that urge you to act quickly in order to avoid consequences
- Nonstandard URLs
- Nonstandard company graphics
If any of these elements are present, someone might be trying to steal your passwords.
2. Brute force attack
A brute force attack is an umbrella term for any password-related cyberattack in which a hacker guesses passwords to gain access to a system. In the simplest terms, this cyberattack is based on probability—if a hacker’s computer program cycles through enough possible password combinations, it will eventually find the one that works.
Brute force attacks usually start with common user-friendly passwords like “Password123” and work from there, but they can be more sophisticated than that. In a reverse brute force attack, for example, the hacker will take some of the most common passwords and work backwards, trying to guess the usernames associated with them.
3. Dictionary attack
Dictionary attacks are similar to brute force attacks, but slightly more complex. Brute force attacks guess a password letter-by-letter. Dictionary attacks, on the other hand, work from a pre-compiled list of highly probable passwords, common word combinations, and credentials gained from previous data breaches. The hacker uses a computer program to start with the most likely possibilities and test variations on them by attaching numbers to the end or swapping out numbers with letters.
Dictionary and brute force attacks are successful because many people don’t follow password security best practices. They create passwords that include their dog’s name and the street they grew up on put together, or opt for easy words they’re likely to remember. The best way to help prevent these types of cyberattacks is to make sure your passwords are complex, unique, and hard to guess. Long passphrases are more secure than passwords, and a password manager can help you automatically generate random passwords and store them so you don’t have to rely on your memory.
4. Rainbow table attack
A rainbow table attack is a step up from brute force and dictionary attacks. MSPs typically “hash” their users’ passwords before storing them in a system. Hashing mathematically converts caches of passwords into cryptographic, seemingly random strings of characters that prevent them from being misused. You need the corresponding hash to decode the original password—but savvy hackers have found a way to work around this security method.
A rainbow table is a list of all possible plain-text permutations of encrypted passwords that are specific to a particular hash algorithm, and hackers have been known to collect and share these lists and their corresponding hashes. Once a hacker has broken into a password database, they can compare their rainbow table with any encrypted passwords they find and exploit access to the network. Since rainbow table attacks are essentially just a matter of cross-referencing, hackers can crack passwords much faster than they would by using brute force or dictionary attacks. Depending on the software, rainbow table attacks can crack a 14-character alphanumeric password in as little as two minutes.
To protect against rainbow table attacks, you should fortify your approach to password encryption. For example, you can add randomly generated characters to password hashes to make them harder to crack, and you should always avoid using outdated hashing algorithms.
5. Credential stuffing
Credential stuffing exemplifies how a data breach can have a long afterlife. In a credential stuffing attack, a hacker takes previously breached data from one service and uses it to attack another. For example, a cybercriminal can take the usernames and passwords they stole from a social networking site and try those same credentials on other accounts. If they do this en masse, it’s likely they’ll eventually find a match and use those credentials to leapfrog to other accounts.
Credential stuffing attacks are only successful if users duplicate passwords across multiple accounts or sites. To prevent credential stuffing, make sure your customers and technicians all use unique and complex passwords for every account or service. Also, make sure you update passwords frequently enough that if your credentials are stolen, they’ll only be useful for a limited period of time. Most cybersecurity experts recommend generating new and complex passwords with a password manager at least every three months.
How to prevent password-related cyberattacks
Passwords are one of the most vulnerable entry vectors and hackers will always continue to try and exploit them. To protect your business and your customers from these attempts, there are many things you can do to minimize your vulnerabilities. First, take a good look at your password security best practices. Here are some tips for creating a strong password.
- Don’t use passwords that would be easy to decipher (e.g., your last name and year of birth)
- Use long passphrases with random mixes of numbers and characters
- Incorporate short phrases or acronyms
- Don’t use memorable keyboard paths (e.g., “qwerty”)
- Avoid common substitutions
Don’t reuse passwords, write them down, or share them with others. Also, turn on two-factor authentication (2FA) whenever possible. Two-factor authentication supplements password management best practices by adding an additional layer of security to an account’s login procedure. An account protected by 2FA requires two distinct terms to access it, typically a password and a fingerprint or physical security key. This way, even if a hacker steals your password, it’s highly unlikely that they’ll be able to steal your secondary method of identification as well.
Is your business safe from cyberattacks?
These top five password-related cyberattacks only scratch the surface. The cyber threat landscape is vast and rapidly changing—so how can you keep your business safe? Password security experts recommend using a password manager to protect your business.
N-able™ Passportal™ is a centralized, cloud-based password and IT document management system designed specifically for an MSP’s unique needs. With Passportal, you can automatically generate and store strong passwords, grant and revoke access as needed, and closely monitor credential use. To learn more and see Passportal in action today, request a demo here.