Ever since Ali Baba uttered “open sesame,” thieves have been using stolen passwords to access hidden riches. In the digital world, password attacks have been and continue to be a common way for threat actors to gain access to an organization’s treasure trove of data. No matter how many emails we get from IT explaining what makes a good password, many of us still use the same basic password in multiple places simply because they’re easier to remember. Let’s explore exactly how these password attacks work, as well as the most effective ways to reduce the risk of one wreaking havoc on your organization.
What Are the Different Types of Password Attacks?
While the end goal of any password attack is to crack a user’s password in order to gain access, there are several different methods to achieve this goal. The most common ones are:
Dictionary Attacks – A dictionary attack began with attackers systematically trying every single word in common language dictionaries like English, French, or Spanish, in order to break into a system, relying on the common tendency of people to use a single, real word as their passwords. As time has gone on, however, attackers have graduated from solely using a dictionary as their source, and now also use password lists that can be found on the internet. Password, 1234567, password1, 111111, and qwerty remain popular favorites.
Brute-Force Attacks – Unlike the focus on plaintext passwords in dictionary attacks, brute-force attacks trial and error even more randomly, working through every combination of letters and numbers. These attacks benefit from the fact that most users keep their passwords fairly short. The shorter the password, the faster these attacks can work.
Hybrid Attacks – Another form of password guessing, these attacks combine the power of dictionary and brute-force attacks, covering even more possible combinations.
Password Spraying – Also called credential stuffing, password spraying uses credentials stolen through social engineering attacks like phishing, or the successful results from a dictionary, brute-force, or hybrid attack. Taking a password that is known to work for at least one system or application, an attacker tries it across an organization’s environment to see if it will work elsewhere, granting further access. Since passwords are reused so frequently, credential stuffing is often very successful.
Strategies for Reducing the Risk of a Password Attack
1. Pen Test
The best way to know if your organization is vulnerable to password attacks is to launch one yourself with a pen test. An automated pen testing tool can be used to quickly run password attacks. For example, a password spraying scenario can be run to see if your environment is vulnerable, exposing which machines are sharing credentials. This allows you time to change the password before you’re actually attacked, and should prompt a reevaluation of how passwords are being created and enforced.
Additionally, many credential stuffing attacks begin with attackers that have successfully stolen credentials through phishing attacks. Phishing simulations imitate malicious phishing campaigns, allowing organizations to monitor whether any are opened, clicked, or have credentials entered. These simulations can assist in uncovering which employees are vulnerable to phishing, and what type of phish they’re likely to open.
2. Use Multi-Factor Authentication (MFA)
MFA puts additional roadblocks in the way of attackers by requiring more than one piece of evidence in order to log in. Categories of evidence include knowledge, possession, and inherence. This includes something a user knows, like a password, something a user has, like a phone or security token, and something only the user can provide, like a fingerprint. While higher security items may have fingerprint pads or eye scans, most devices use knowledge and possession for a two-factor authentication process. The more requirements there are, the more work an attacker will have to do to gain entry.
3. Enforce and Manage Strong Passwords
While MFA adds more barriers, each barrier needs to be as strong as possible. For example, many types of MFA logins only request the second form of authentication once the first has been validated. This means an attacker may not be able to gain entrance, but they will know they had the right credentials. From there, they can launch a password spray attack against the rest of the network, and may stumble across applications that don’t have MFA available.
Because of this, it’s important to ensure that passwords are as complex as possible. Password management solutions can help by enforcing a strong password policy. Ideally, passwords should consist of more than 12 characters, and be composed of random numbers, symbols, and letters. Many organizations encourage the use of password phrases like Eyel0vecheez! Which are generally easier to remember.
4. Monitor Activity
Attackers rely on going undetected. Since so much activity occurs in an IT environment, a password attack can easily slip through the cracks. Monitoring activity with a SIEM can flag an unusual amount of login attempts, automatically escalating the issue to the security team, allowing them to quickly prevent or neutralize risks. This means your security teams and analysts can determine in real-time if they need to go and investigate further. Additionally, many SIEM solutions can act automatically, locking out a user after a certain number of failed attempts.
5. Layered Defense for a Strong Security Posture
Both IT environments and their attackers have grown far too sophisticated for a single password to protect them. Security strategies must be as multi-faceted as the infrastructures they protect. Password focused tools like password managers and MFA must be paired with other solutions, like antivirus and other forms of threat detection. These can be used as a preventative, proactive measure against malware attacks, as well as a reactive method to advanced persistent threats infecting a system. By practicing dynamic risk management, organizations can be ready for any type of security threat or disruption.
6. Consistent Trainings and Reviews
While employees are your greatest asset, they are also your greatest security risk. When pen tests show where you’re most vulnerable, putting solutions in place will help reduce risk. However, employees must also undergo regular training to ensure they understand both the importance of password security, as well as ways that their credentials can be stolen. Those flagged for being susceptible to phishing attacks, for example, may require education sessions to help them better spot suspicious emails. Phishing campaign simulations are particularly important to run on a regular basis, as new employees may have been onboarded since the last scenario was run, and all an attacker needs is a single user to make a mistake.
Finally, reviewing your security posture and password policies should be done a regular basis to remain agile and refine security strategies as new techniques emerge. For example, MFA has only become widespread in the last few years. With the right measures in place, passwords can remain one of the best and most important lines of defense for your organization.
Train Your Users to Recognize Phish
Avoid credential stuffing and other attacks by launching a phishing campaign simulation. Learn the best techniques in our eCourse, Best Practices for Effective Phishing Simulations.