Six types of password attacks

Here are six types of common password attacks and steps you can take to prevent them or at least reduce the likelihood of success.

Dictionary attack

An attack that takes advantage of the fact people tend to use common words and short passwords. The hacker uses a list of common words, the dictionary, and tries them, often with numbers before and/or after the words, against accounts in a company for each username. (Usernames are generally pretty easy to determine as they are almost universally based on the names of the employees.)

Brute force

Using a program to generate likely passwords or even random character sets. These attacks start with commonly used, weak passwords like Password123 and move on from there. The programs running these attacks usually try variations on upper and lowercase characters, as well.

Traffic interception

In this attack, the cyber criminal uses software such as packet sniffers to monitor network traffic and capture passwords as they’re passed. Similar to eavesdropping or tapping a phone line, the software monitors and captures critical information. Obviously, if that information—such as passwords—is unencrypted, the task is easier. But even encrypted information may be decryptable, depending on the strength of the encryption method used.

Man In the Middle

In this attack, the hacker’s program doesn’t just monitor information being passed but actively inserts itself in the middle of the interaction, usually by impersonating a website or app. This allows the program to capture the user’s credentials and other sensitive information, such as account numbers, social security numbers, etc. Man in the middle (MITM) attacks are often facilitated by social engineering attacks which lure the user to a fake site.

Key logger attack

A cyber criminal manages to install software that tracks the user’s keystrokes, enabling the criminal to gather not only the username and password for an account but exactly which website or app the user was logging into with the credentials. This type of attack generally relies on the user first falling prey to another attack that installs the malicious key logger software on their machine.

Social engineering attacks

Social engineering attacks refers to a broad range of methods to obtain information from users. Among the tactics used are:

• Phishing—Emails, texts, etc. sent to fool users into providing their credentials, clicking a link that installs malicious software, or going to a fake website.
• Spear phishing—Similar to phishing but with better crafted, tailored emails/texts which rely on information already gathered about the users. For example, the hacker may know that the user has a particular type of insurance account and reference it in the email or use the company’s logo and layout to make the email seem more legitimate.
• Baiting—Attackers leave infected USBs or other devices in public or employer locations in the hopes they will be picked up and used by employees.
• Quid quo pro—The cyber criminal impersonates someone, like a help desk employee, and interacts with a user in a way that requires getting information from them.

Thwarting password attacks

Strong passwords are usually the first defense against password attacks. The latest NIST guidelines recommend easy to remember/hard to guess passwords. A good mix of upper and lowercase characters, numbers, and special characters can help. Even better, avoid use of common words and common phrases. Definitely avoid site-specific words (including the name of the app you’re logging into in the password, for instance). NIST also recommends checking passwords against a dictionary of known poor passwords.

Employee education is also important. One of the best defenses against social engineering tactics is teaching users the techniques hackers use and how to recognize them.

Strong passwords and education really aren’t enough these days, though. Computing power allows cyber criminals to run sophisticated programs to obtain or try massive numbers of credentials. That’s why NIST also recommends not relying on passwords alone. Specifically, companies should adopt tools like single sign-on (SSO) and multi-factor authentication (MFA), also known as two-factor authentication.

SSO helps eliminate passwords by letting employees login to all their apps and sites with just one set of credentials. Users only need remember one, strong password. MFA requires an additional piece of information when the user logs in, such as a pin generated by an application like OneLogin Protect or fingerprint authentication. This additional piece of information makes it far more difficult for cyber criminals to impersonate a user.