We’ve all seen a television show or a movie where the “hacker” is attempting to break into the “victim’s” computer. The savvy assailant breaks the code by combining the name of the target’s first-born child with the numbers in his home address. Or they simply lift the keyboard to find a sticky note with the less than complicated password hidden away.
I know that you smiled, maybe even chuckled, when you read that last scenario, but then thought back to your password management practices and considered that a tune up is in order. Don’t beat yourself up, we’ve all been there and continue less than stellar practices in how we manage the most basic security measure – The Password.
This article will discuss the dangers of lax password behavior, typical reasons for poor password management and steps you can take to correct this trend.
It’s not hard to believe that Password Management amongst most Americans is less than stellar. When you start to add up all the usernames and passwords you are responsible for remembering daily, your head starts to spin. I know mine does. According to a recent study, the average American has 100 passwords for work and home. At that rate, how can you remember anything? This extreme volume causes us to take short cuts in password management.
Password Attack Methods
We hear a lot about various attack methods – Ransomware, Man in the Middle, Phishing … but what are the most common Password attacks? You might be surprised. Here are 10 common attack methods to steal your password.
Brute Force Attack
A “Brute Force” Attack is where an attacker leverages software to crack passwords by using various combinations. In this situation, hackers are most successful when the target has either reused an already compromised password or uses a generic phrase, for example, password1234.
Credential Stuffing
“Credential Stuffing” is a type of Brute Force Attack where the hacker uses stolen credentials to gain access to online accounts. Since many people will re-use passwords with the same username/email combination even when exposed in a breach, these credentials a readily available on the Dark Web and other areas for Cybercriminals to exploit.
Social Engineering
“Social engineering” is one of the most dangerous attack methods because it relies on a person’s innate ability to trust. Cybercriminals are highly effective at creating websites that look real and then transmitting these websites to their victims in the form of fake login pages. The target logs into the site, never gains access to the account but has unknowingly given up credentials. This is the most common type of password theft, or credential leak as we call it.
Dictionary Attack
A “Dictionary Attack” is a type of Brute Force Attack where the hacker can use an automated password-guessing software that uses every word in the dictionary to crack a password. The hacker is relying on the behavior of using a single word phrase as a passcode. Hackers will also develop lists of words specific to the target including birthdays, pet names, schools attended and similar information.
Keylogger Attack
A “Keylogger Attack” uses a type of spyware on a device to do exactly that – track and record what you type on your keyboard. Surprisingly, this software is legal but when it is deployed by a threat actor, it logs the users keystrokes for malicious purposes.
Password Spray Attack
A “Password Spray” Attack leverages many stolen passwords against a small number of accounts to gain access. Sophisticated hackers will use an automated tool that limits the number of attempts to protect against account lock outs or discovery.
Phishing
“Phishing” attacks in general are on the rise and getting better every day. In a phishing attack, the hacker sends a message, usually in the form of an SMS or email with an urgent request. The perpetrator can combine the phishing message with a fake website to lure the victim to log in and inadvertently give up the credentials, like social engineering. These credentials can then be used to access actual accounts.
Man-in-the-Middle Attack
A “Man-in-the-Middle” Attack leverages phishing messages to portray itself as a legitimate business and then attempts to complete 2 specific tasks. First, the message contains malicious attachments the tricks the victim into opening them and then installing spyware aimed at recording passwords. Second, it will embed links to a decoy website to get the victim to unknowingly compromise credentials.
Traffic Interception
Traffic Interception is a type of Man-in-the-Middle attack. In this attack, a threat actor will eavesdrop on the network through an insecure Wi-Fi connection or use a tactic called SSL hijacking. SSL hijacking occurs when a threat actor can intercept a connection between the intended target and a legitimate site and then records any pertinent information shared between the 2 entities.
Shoulder Surfing
Shoulder Surfing may sound like a stretch, but it is a legitimate way for hackers to steal your password by simply looking over your shoulder. Often, we are not completely aware of our surroundings in a public place and type our credentials in while others are watching. Additionally, video surveillance cameras can capture your password, and you generally have no idea who is on the other side of those cameras. A close second to this method of leaving passwords “hidden” out in the open on post it notes and other places.
Password Attack Prevention
Now that we’re familiar with the most common ways that hackers are actively trying to steal your passwords, how can we stop them? The good news is that there are several things we can do to protect ourselves and they are not difficult or expensive to implement.
Avoid Password Reuse
Creating a strong password seems like the most obvious step to take but with the sheer number of password-required accounts that we manage daily, it is understandable to pick a password that you can easily remember. The problem is that your password is easy to obtain and every account that you use the same or similar passwords for are now compromised. According to NIST (National Institute of Standards and Technology), passwords should be 8 – 64 characters with nonstandard (emoticons) when possible. Long passphrases are preferred. NIST also suggests only reset passwords when your current password is forgotten or compromised.
Deploy Multi-Factor Authentication (MFA)
Multi-factor authentication is a 2-step login process that requires something you know like your password and something that you have like token or something you are like a fingerprint (biometric). Enabling MFA presents an additional layer of security to make your password harder to crack, resulting in more protection for your data.
Use a Password Manager
A Password manager is a great solution to keep all your passwords safe. Password managers can be used as a corporate or individual tool. There are many benefits to using Password Manager including auto-generation of new passwords, keeping all passwords secure, synchronizing across multiple devices and operating systems, and alerting of phishing sites.
Deploy an Endpoint Detection and Response Solution (EDR)
Endpoint Detection and Response (EDR) is an endpoint security solution that continuously monitors end user’s devices to detect a cyber-attack and respond to the threat. In the case that a password attack is executed on an end-user’s devices, the EDR solution will provide real time alerts so that your IT Security Team can take swift action.
Conclusion
A strong Cybersecurity posture starts with something as simple as a complex password. When we create our passwords, we think that they are strong enough and that a password attack could never happen to us. As you can see from this article, we are all susceptible to multiple types of password attacks ranging from the simple to the complex. The good news is that there are many ways to protect yourself and keep yourself protected by following a consistent routine of password hygiene.