Password attacks are incredibly stressful and a substantial risk for organizations. IT and security teams trying to fix the issue may experience anxiety, anger, panic, and sometimes guilt. For those in denial about the risk of password attacks, an incident is an abrupt wake-up call. After a password attack employees who put the organization at risk may fear repercussions or repeat victimization. These events can also trigger cyber fatigue which can result in both physical and mental health issues.
Employees who put the organization at risk may fear repercussions or repeat victimization
The chain of emotions can begin much earlier. Security leaders carry the weight of convincing others that password management is essential and implementing security controls that people are willing to adopt. Some find that it takes a successful password attack to get their organization to prioritize stronger security.
Organizations can experience employee friction from employees when they make suggestions, from increasing password length from 8 to 12 characters to making suggestions to change the complexity or frequency of changing passwords. All significantly reduce the risks of password attacks but impact the users' productivity, so finding the right balance that improves productivity, reduces friction, and increases security is a massive challenge for both IT and Security.
Having a proven strategy and solutions to prevent, detect, and respond to password attacks can help you stay calm amidst the chaos. Read on to learn the fundamentals of password attacks and the latest best practices and recommendations to reduce your risk.
A password attack is a cyberattack in which a cybercriminal gains access to an IT system by stealing, cracking, or guessing a password. A password is a type of secret, like passcodes, passphrases, and numeric PINs. It’s typically used in combination with a unique identifier (typically a username or email address) to unlock a certain level of access for applications, databases, and infrastructure.
Most login systems use a cryptographic technique known as a hash to store the password in a database. That hash should be one-directional. No one other than the user or system should ever know the clear text password.
Anyone with the proper password and user credential can gain unauthorized access to sensitive data, conduct fraudulent transactions, and even bring down systems critical to running your business. If people use the same password to gain access to multiple systems, then a password attack can result in damage not just in one area of the business, but many.
Password attacks are often successful because many users choose easy-to-guess passwords and neglect to store them securely. When organizations leave the responsibility for password hygiene fully in the hands of users, the risk of password attacks increases.
Cybercriminals look for the easiest, stealthiest, and least costly strategies for conducting password attacks. They want to get in and get out without being caught. Below are some common techniques for conducting password attacks.
Criminals take advantage of people’s trusting nature to get you to voluntarily hand over your password. For example, they may pretend to be an authentic internet service or application, send you a link to a legitimate-looking site, and ask you to log in.
Brute-force password attacks are hacking technique that crack passwords, login credentials, and encryption keys to gain initial access. This includes:
Password spraying involves using a common or easily guessed password against multiple accounts. One flavor—a dictionary attack—involves creating a lookup table of candidate words and their pre-matched plain text passwords. Hackers then compare the candidate words to a stolen digest file to find a match. Through trial and error, they eventually hit on a username-password pair that unlocks an entry point.
Credential stuffing involves using credentials stolen or leaked from one account to breach other accounts. There are numerous ways attackers can obtain valid credentials for these types of password attacks. They may obtain lists of usernames and passwords from data breaches, purchase them on the Dark Web through Initial Access Brokers, or find them on libraries and code repositories such as GitHub.
Learn more here: Password spraying vs. credential stuffing: why the difference matters
Above: An example of an initial access broker cracking passwords and verifying the credential
In this type of password attack, malware installed on your computer records your keystrokes. It sends that information to a malicious hacker using a command-and-control (C&C) server. The hacker then analyzes the keystrokes to locate usernames and passwords.
In this cyberattack technique, a malicious actor positions themselves between two parties in a communication channel to intercept and steal data, such as passwords and credentials. Public Wi-Fi networks are often used in this type of password attack because they are typically less secure than private internet connections.
Windows systems are typically the favored target of Pass-the-Hash attacks. Windows doesn’t send or save user passwords over the network. Instead, it stores passwords as encrypted NTLM hashes—fixed-length codes, representing the password. Attackers can use the Pass-the-Hash to “trick” the Windows system into accepting them as legitimate users. When a Windows system is compromised , the NTLM hash can be used instead of a password.
Despite your best attempts to prevent password attacks, hackers are constantly trying new techniques to get around your defenses. It’s important to know the red flags that indicate a password attack so you can intervene quickly and contain the damage.
Here’s what to look for:
There are many things you can do to reduce the risk of password attacks on your enterprise, from preventing them in the first place to stopping them in their tracks.
Compliance frameworks are a good starting point for the latest guidance on password requirements. The latest draft version of NIST's password guidelines, for example, simplifies password management recommendations.
While they still call for long passwords, NIST is no longer promoting using a mixture of character types in passwords or regularly changing passwords. They’ve found that making people change passwords frequently has resulted in people choosing weaker passwords.
Storing passwords in a browser increases the risks of exposing further password attacks. Passwords can be easily retrieved if a device is stolen or if the browser is compromised through cyberattacks, malware, or malicious extensions. If your organization permits users to use the browser for storing passwords, enforce a secure-by-design approach and enable the browser password security features.
Learn about secure browser extensions that manage credentials for websites and web applications.
Run a health check on your enterprise passwords to see where you are vulnerable.
Delinea’s Active Directory Weak Password Finder tool examines the passwords of your AD accounts and finds weak passwords to determine if your organization is susceptible to password attacks. A quick scan of your environment with the Weak Password Finder tool pinpoints your vulnerabilities:
The larger and more complex your enterprise, the most difficult it is to enforce password best practices and detect signs of password attacks. Automated solutions like enterprise password management and Privilege Access Management software take the burden of the shoulders of employees and move password management to the background.
There are differences between a consumer-grade password management tool and an enterprise solution such as Privileged Access Management (PAM). Which you choose will depend on your needs for centralized policy management, auditing, and integrations with other workflow and security tools.
You can reverse engineer password attack strategies cybercriminals use so you know what areas to focus on.
Check out their strategies: 5 most popular password cracking tools
Watch the recorded on-demand webinar: How your organization’s passwords get hacked and cracked
You may also be interested in watching this great podcast I did with with Evil Mog—executive managing hacker at IBM X Force—in which we discuss modern methods for abstracting passwords away from human decision-making and moving them into the background for stronger security:
What technology trends are impacting the use of passwords and the risk of password attacks? Here are two big ones we’re watching:
Workplace passwords are evolving, supplemented by stronger, easier forms of authentication. As consumer technology brands and the FIDO Alliance create demand for passwordless authentication, enterprises are also moving toward passwordless experiences in the workplace, with solutions such as biometrics and facial recognition.
See what 300 IT and cybersecurity leaders say about passwordless authentication in our survey report:
The Future of Workplace Passwords.
The data shows a growing shift towards embracing AI for identity security, including password management and password attack detection. Initially, companies expect to apply AI to surface information, prioritize actions, and save time, supported by human oversight to ensure accuracy and effectiveness. Most expect to use AI for identity security use cases such as monitoring, alerting, and assessing risk.
Finally, see what 1,800 IT and security decision-makers across 21 countries have to say in our research report:
The State of Identity Security in the Age of AI.