The first instance of passwords being used to allow individual users access to a computer system was innovatively implemented by MIT’s Compatible Time-Sharing System (CTSS) in the 1960s. And what we might consider the first-ever computer password theft was as simple as someone printing off the list of passwords stored within that computer’s system. No, really—PhD researcher Allen Scherr did this in 1962 so that he could access CTSS outside of his weekly-allotted time.
Fast-forward to today, password theft and attacks have advanced quite drastically. Organizations are up against state-of-the-art hacking technologies every second of every day and, to combat this, identity access has become far more complicated than just having one memorable word to remember.
In fact, with 70% of users across the UK and US estimated to currently hold more than ten password-protected accounts, it’s hardly surprising that employees are not only reusing the same passwords across multiple accounts, but using easy-to-remember details about themselves as passwords. And meanwhile, users are sharing more information about themselves online than ever before. While the average person might feel part of an online community, to hackers, it’s a playground.
As password theft is an enduringly prominent issue, we’ve put together a list of the eight most common types of password-related attacks, so that you can help keep your employees safe online and protect your organization’s data. Because, after all, knowing what you’re up against is half the battle.
Phishing is currently the type of password-related attack that’s getting the most press online—and it’s easy to see why. With 75% of organizations having experienced a phishing attack in 2020, being targeted can’t be avoided—but falling for phishing attacks, can be.
The thing about phishing is that it relies on human error to be successful. Rather than a hacker having to crack a password, users readily hand over their sensitive information on a plate. And why do they do this? Well, because they don’t know they’re handing their information over to hackers.
That’s how phishing works. A hacker will send their victim an email disguised as if from a trustworthy source—for example, a bank, network provider, or delivery service—usually asking them to perform a certain action. Let’s use PayPal as an example. A hacker might send an email disguised as if from PayPal, notifying their target that their account has been locked until they verify their identity by entering their credentials online. Once the user clicks the link to the fake PayPal site and enters their credentials on this webpage, the hacker then has their details and can log in to their target’s genuine PayPal account.
But it doesn’t stop there—if the user has reused that password across multiple accounts, the hacker will now have access to all accounts sharing that password! Which leads us on nicely to our next point.
2. Credential Stuffing
The trouble with humans is that we have notoriously bad memories. That’s why the thought of remembering dozens of unique passwords for different accounts while also changing them every three months is overwhelming.
Because of this, six in ten people use the same passwords across multiple different accounts, according to a survey by Google. This makes over half of the population vulnerable to credential stuffing attacks—especially if one or more of their accounts have already been compromised.
Credential stuffing relies on this human tendency to reuse passwords. During this type of attack, a hacker will try various combinations of stolen usernames and passwords, with the hopes of gaining access to an account where the target has reused a compromised password. Hackers can obtain stolen passwords from the Dark Web, or simply reuse those they’ve already stolen using other methods of credential theft. You can see if your passwords have been compromised on the dark web using this tool: https://haveibeenpwned.com/.
3. Brute Force Attacks
Brute force attacks are among the most common and easiest methods for hackers to gain access to accounts—which is why they’re so widespread. In fact, 80% of hacking breaches are estimated to involve these types of attacks.
To carry out a brute force attack, a hacker will use a computer program to try all possible letter, number, and symbol sequences character-by-character, until hitting the correct combination, so they can gain access to a user’s account.
This is done systematically, often starting with the most common passwords—which is why “123456” and “password” take less than a second to crack. The program is usually automated, can take password requirements into account—such as a minimum character limit and inclusion of a number or symbol—and can bypass limits on the number of attempts that can be tried before the account is locked.
4. Dictionary Attacks
While dictionary attacks are a type of brute force attack, there is a key difference between the two. Whereas traditional brute force attacks attempt to crack a password character-by-character, a dictionary attack will make its way through a list of common words and phrases.
Dictionary attacks tend to rely on variations of commonly used words, but more advanced attacks use details that are personalized to specific users—and these details are easy to find online. In fact, it can take seconds to discover an employee’s pet’s name from their Instagram account, or their favorite band from their Spotify profile. Unsurprisingly, “Blink182” was the 128th most commonly used password in 2020 according to research by NordPass, while “Justin” was number 125. So, yes, Justin Bieber can not only be the reason you might turn down the radio, but also the reason your organization experiences a cyberattack!
5. Password Spraying
Similar to the dictionary attack, password spraying is a type of brute force attack that works by attempting to access accounts using commonly used passwords. What makes a password spraying attack different—as the word “spraying” might suggest— is that it can target thousands or even millions of different users at once, rather than just one account.
Distributing login attempts across multiple users and organizations rather than one single user also lessens the risk of the hacker being caught by account lockout policies triggered by repeated failed login attempts.
Password spraying attacks commonly target single sign-on and cloud-based platforms and can prove particularly dangerous for these.
6. Keylogger Attacks
Keystroke loggers—or, keyloggers—are particularly dangerous, because even the strongest passwords can’t protect you from them. Imagine someone watching you over your shoulder as you type in a password—no matter how strong that password is, if they’ve seen you type it in, then they know it.
That’s how keyloggers work—not by cracking passwords, but by spying on their victim and recording their passwords as they type them in. But not just passwords—keyloggers record everything you type. This means hackers don’t have to guess usernames because they’ve already recorded that information, as well as credit card details, answers to security questions, and sensitive information such as social security numbers.
A common type of spyware, keyloggers work by infecting a victim’s device with malware. While physical device keyloggers do exist, software keyloggers are far more common. This means that to infect a victim’s device they need to make it into the system—usually via a phishing attack, drive-by download, or trojan. Once keyloggers have infected a system, they’re almost impossible to detect, which is why, particularly in this case, prevention is the best defense.
7. Man-In-The-Middle Attack
MitM attacks are almost self-explanatory—they involve a type of interception while data is in transit. A hacker will sit between two different destinations and relay data between the two. Think of it this way: three people are sat side by side and, for the two on the outside to communicate back and forth, they must pass messages through the person in the middle. Except during MitM attacks, the victims have no idea that the person in the middle is even there.
To carry out an attack, a hacker will likely act as a proxy to disguise the fact that the data is being intercepted. To use our PayPal example from earlier, the hacker might set up a fake PayPal login page and encourage the victim to enter their credentials—but it doesn’t end there. The hacker will then allow the user access to their fake site, while using the stolen credentials to log on to the victim’s account on the real PayPal site. Then, whichever actions the victim performs on the fake site, the hacker performs on the real site and transmits any responses back to the victim. This way, the hacker can not only go unnoticed, but also ensure the credentials being entered by the victim are 100% correct.
8. Rainbow Table Attack
You might remember from your school days being tasked with decoding a cipher using a table of corresponding symbols. While at that age, this kind of task might have appealed to the Sherlock Holmes in you, these days it certainly appeals to hackers looking to decode encrypted passwords.
To explain how a rainbow table attack works, we first need to understand hashing. Hashing is the process where organizations mathematically convert and encrypt users’ passwords so that they’re stored within the system as cryptographic sequences of characters. From then on, when a user enters their password, it’s automatically hashed, and the hashed value is compared with that stored within the system. This means that if anyone were to access this database of passwords, they would see the encrypted values—rather than the actual passwords.
Rainbow table attacks are similar to dictionary attacks—but use a rainbow table rather than a list of words, and can offer a faster password-cracking process. A rainbow table is essentially the key to deciphering encrypted passwords—it’s where pre-computed hash functions are stored alongside their hashed values. Using it, a hacker can compare values against this table and decrypt the hashed passwords in your database. Rainbow tables containing the solutions to common hashing algorithms can be found on the dark web, as well as generated using hacking tools such as Rainbow Crack and 0phcrack.
Preventing Password-Related Attacks
When it comes to password security, prevention is the best defense. It’s always better to stop attacks from happening in the first place rather than having to defend your organization after the fact.
Some of the most effective ways you can secure your organization against these devastating password-related attacks include:
We asked CTO and Co-Founder of Keeper Security, Craig Lurey, how implementing a password management solution can help organizations keep their employees safe online. He told us:
“Password management solutions give IT and security administrators complete visibility into employee password practices and the ability to enforce password security policies organization-wide, such as using strong, unique passwords for every account and enabling multi-factor authentication on all accounts that support it.”
So, while hacking methods have certainly evolved beyond simply printing off lists of users’ passwords, our defenses have had to evolve alongside them. And implementing a strong password solution for your organization can be the difference between a big data breach and business as usual. Is not implementing one worth the risk?