One of the easiest ways cyber-attackers and criminals can breach your organization is through a password attack that takes advantage of passwords, as they are one of the weakest links in your overall cyber security.
To protect your organization and better understand how to protect passwords from being attacked and compromised, let’s look at the top 8 password attacks used against small to mid-sized organizations.
The 8 password attacks aimed at your organization
Phishing attacks continue to be the number one-way organizations are breached. Phishing is a type of social engineering aimed at stealing data and personal information from the person receiving the message.
In the first quarter of 2022, according to Security Today, 92% of breaches resulted from cyberattacks, and phishing and ransomware were the two top causes of those breaches.
The 4 main types of phishing attacks include:
- Spear Phishing: This is a phishing attack targeted at specific individuals rather than a group of people or the entire company. The attacker either already has personal information about the target or is trying to obtain that to continue their attack. These types of attacks are more successful because they are more believable.
- Smishing: Smishing is a type of phishing attack that uses SMS text messages. With such a large percentage of people using text continually during the day, smishing has become more and more popular
- Vishing: Vishing attacks use phone scams to steal personal and confidential information from its victims. This is also called voice phishing and is used by cybercriminals to convince victims they are doing the right thing by answering the caller and their questions.
- Whaling: Whaling is a type of spear phishing but is more targeted. Whaling is usually targeted at specific people in your organization, such as CEOs, managers, or executives. The credentials of these high-value targets provide a gateway to more info and money.
There were 1,025,968 phishing attacks in the first quarter of 2022
Check out this article from Net Security, giving you a breakdown of all of the attacks so far in 2022: Phishing reaches an all-time high in early 2022
Brute Force Attack
A hacker or cyber criminal carries out a brute-force attack using a computer program to try all possible letters, numbers, and symbol sequences until they land on the correct combination.
Brute force attacks comprise nearly 80% of hacking breaches and are often targeted at small to mid-sized organizations.
Brute force attacks happen systematically, usually starting with common passwords like “password” or “1234567”, and can take less than a few seconds to crack. These attacks are usually automated and can be active 24 hours a day.
54.6 million current, former and prospective T-Mobile customers hacked
T-Mobile CEO Mike Sieverts said that a hacker used a brute-force attack to force his way into the T-Mobile network. Check out the full article here: T-Mobile CEO: Hacker brute-forced his way through our network
Credential Stuffing Attacks
Credential stuffing is a type of brute force attack where a collection of stolen login credentials from one service are used to attempt to break into another unrelated service.
For example, an attacker may take a list of usernames and passwords obtained from a large known department store and use those same login credentials to try and login into banks or other financial institutions.
Credential stuffing is so popular and widespread due to the massive list of breached credentials sold and traded on the dark web.
A dictionary attack uses a word list, a predefined list of words, and every word in the list is hashed. If the software used for the attack matches the password hash, the attack has successfully identified the password.
Typically, hackers will tune the dictionary attack to their target, using a specific language or even particular terms used in clubs like a Star Wars dictionary to crack Star Wars fans’ passwords. And because 80% of people reuse passwords, it gets them access to multiple accounts.
Password spraying attacks
Password spraying attacks are a unique version of a brute-force attack. Typically, a brute-force attack targets one single account and hits that account with multiple passwords to gain access.
The issue with these attacks is that new cyber security protocols have been developed to detect this suspicious activity and lock out the account after too many failed login attempts.
Cybercriminals have flipped this conventional strategy by attempting to log on to multiple users’ accounts simultaneously using many common passwords. Attacking many accounts, sometimes millions at a time, bypasses the normal lockout procedures, slowing cyber-attackers to keep trying more and more passwords.
Password spraying attacks are so successful because many users fail to follow password best practices. The 100 most commonly used passwords in 2022 continue to show “123456” and “password,” which are still two of the most commonly used passwords and, as you can imagine, are easily hacked.
Key logger attacks are spyware created to track and record the keystrokes made by users to capture their sensitive information, like passwords and login credentials.
When a keylogger infects a device, it can eavesdrop on private communications and follow your online behavior. Key logger attacks work on everything from social media accounts, email logins, website visits, and even payment information can be tracked.
Keyloggers can use software or hardware to capture users’ data. Both these tools will record the data entered by a user’s keystrokes, and it will be placed in a file they can retrieve later. In addition, some keylogger tools can capture info from microphones, cell phones, webcams, and keyboards.
Keyloggers can be extremely difficult to detect. But, some things to look for include USB devices attached to your computer you didn’t install. And Software keyloggers can slow down your computer, cause lags, excessive popups, and even new icons may appear on your desktop.
In cyber security, humans are usually the weakest link in the chain because we are so susceptible to manipulative tactics. Especially when working remotely.
Social engineering takes advantage of our human vulnerabilities and desires to please others and be helpful.
Social engineering is the practice of using psychological methods to elicit the desired behavior. It works when hackers pose as someone likable, trustworthy, or authoritative and trick the victim into trusting them. Once that trust is established, the victim is open to giving up private information.
Some of the most common types of attacks using social engineering include:
5 facts about passwords you need to know
- Passwords are hacked easily because most people follow similar patterns
- Try using a passphrase you can remember with a combination of upper case, numbers, and characters.
- The ideal password length is 16 or more characters
- An analysis showed that of 11 million passwords, 20 passwords constituted over 10% of all passwords in use.
- When people are asked to add a number, the majority simply add a 1 or a 2 at the end. This is a big mistake.
How to prevent password attacks
Prevention is the best defense when it comes to password security. Some of the most effective ways to defend your organization against these attacks include:
- Enforcing multi-factor authentication
- Schedule and rotate passwords often
- Do not use common words or phrases
- Create and enforce a strong password policy
- Monitor activity
- A fully layered Cyber security posture like The Security Shield
- Switching to password-less authentication
- Investing in password manager software like LastPass
- Training your people on how to spot phishing emails
- Biometrics: It’s hard to copy our fingerprints Remote access: Using a smart remote access platform like Onelogin