Here are six types of common password security attacks and steps you can take to prevent them or at least reduce the likelihood of success.
An attack that takes advantage of the fact people tend to use common words and short passwords. The hacker uses a list of common words, the dictionary, and tries them, often with numbers before and/or after the words, against accounts in a company for each username. (Usernames are generally pretty easy to determine as they are almost universally based on the names of the employees.)
Using a program to generate likely passwords or even random character sets. These attacks start with commonly used, weak passwords like Password123 and move on from there. The programs running these attacks usually try variations on upper and lowercase characters, as well.
In this attack, the cyber criminal uses software such as packet sniffers to monitor network traffic and capture passwords as they’re passed. Similar to eavesdropping or tapping a phone line, the software monitors and captures critical information. Obviously, if that information—such as passwords—is unencrypted, the task is easier. But even encrypted information may be decryptable, depending on the strength of the encryption method used.
In this attack, the hacker’s program doesn’t just monitor information being passed but actively inserts itself in the middle of the interaction, usually by impersonating a website or app. This allows the program to capture the user’s credentials and other sensitive information, such as account numbers, social security numbers, etc. Man in the middle (MITM) attacks are often facilitated by social engineering attacks which lure the user to a fake site.
A cyber criminal manages to install software that tracks the user’s keystrokes, enabling the criminal to gather not only the username and password for an account but exactly which website or app the user was logging into with the credentials. This type of attack generally relies on the user first falling prey to another attack that installs the malicious key logger software on their machine.
Social engineering attacks refers to a broad range of methods to obtain information from users. Among the tactics used are:
Strong passwords are usually the first defense against password attacks. The latest NIST guidelines recommend easy to remember/hard to guess passwords. A good mix of upper and lowercase characters, numbers, and special characters can help. Even better, avoid use of common words and common phrases. Definitely avoid site-specific words (including the name of the app you’re logging into in the password, for instance). NIST also recommends checking passwords against a dictionary of known poor passwords.
Employee education is also important. One of the best defenses against social engineering tactics is teaching users the techniques hackers use and how to recognize them.
Strong passwords and education really aren’t enough these days, though. Computing power allows cyber criminals to run sophisticated programs to obtain or try massive numbers of credentials. That’s why NIST also recommends not relying on passwords alone. Specifically, companies should adopt tools like single sign-on (SSO) and multi-factor authentication (MFA), also known as two-factor authentication.
SSO helps eliminate passwords by letting employees login to all their apps and sites with just one set of credentials. Users only need remember one, strong password. MFA requires an additional piece of information when the user logs in, such as a pin generated by an application like OneLogin Protect or fingerprint authentication. This additional piece of information makes it far more difficult for cyber criminals to impersonate a user.
Learn how MFA can help prevent common cyberattacks and security breaches.Read More
Are there similarities between the defenses of the Night’s Watch and those of cybersecurity teams in the real world? You be the judge.Read the Blog
Understand what cybersecurity means, the types of cyber attacks, and how you can prevent them.Read More