7 Password Based Attacks to Be Aware of & How to Prevent Them

Passwords are the keys to your digital kingdom and cybercriminals know it. They want to get their hands on users’ passwords — here’s what you can do to prevent that from happening

Password based attacks are among the most common types of cyber attack. An attacker uses one of several methods to try to steal or crack passwords to access your personal or organization’s data.

According to a survey by Privileged Access Management specialists Centrify, 74% of data breaches involved attacks on the organizations’ privileged accounts. Hackers know that many of us don’t put much thought into our password security, and take advantage of that.

Hackers use various password based attack methods to bypass single-factor authentication. To improve your account defenses, you should understand how these methods work and what you can do to prevent them. Here, we’ve compiled a list of password based attacks that you should be aware of, and we’ve also included some recommendations on how you can defeat them.

7 Password Based Attack Methods You Should Be Aware of

Below is our list of some of the password based attacks that you should know about.

1. Phishing & Login Spoofing Attacks

Phishing attacks are among the most common types of password attacks. Hackers typically send an email pretending to be someone else to get users to download malicious attachments or click on malicious links that take them to fake login pages.

Cybercriminals can also use this login spoofing to get victims to unintentionally give up their access credentials. In this scenario, a user enters their username and password on a malicious login page that’s designed to look legitimate. Once their login credentials are added in the malicious login form, those credentials are saved on the attacker’s server instead of the legitimate site’s server that the user intended.

Steps to Prevent Phishing Attacks

• Don’t engage with emails from unknown contacts. Avoid clicking on attachments or links in emails from unknown senders.
• Avoid downloading content from suspicious websites. Don’t download anything from an untrustworthy website.
• Don’t visit or share sensitive information on insecure websites. If websites aren’t HTTPS-enabled, it means they’re insecure because they don’t have SSL/TLS certificates installed and are using the insecure HTTP protocol. (This is why the “Not Secure” messages display on them.) Only login to sites or share other sensitive information once you’ve verified a site is legitimate.

2. Brute Force Attack

Brute force attacks are one of the easiest and most commonly seen login attack methods. Attackers use this trial-and-error tactic to guess login credentials, encryption keys or to find hidden web pages. Put simply, hackers try all the possible combinations in the hope of finding the correct solution. Depending on the complexity and length of the password, it can take from a few seconds to years to crack the password.

As the name implies, a brute force attack involves an attacker trying to force their way into a victim’s account to gain unauthorized access. It’s among the oldest attack methods and is still widely used by hackers. It boils down to something akin to a guessing game where the attacker repeatedly applies different username and password combinations until they either find pairs that match or they run out of combinations to try.

Steps to Prevent Brute Force Attacks

There are several steps you and your users can take to avoid becoming a victim of a brute force attack:

• Avoid using common, easy-to-guess passwords. This includes everything from commonly known info such as your pet’s name, your date of birth, or common passwords like Admin, password123, etc. Instead, use hard-to-guess combinations of upper- and lower-case letters, numbers, and special characters such as * (asterisk).
• Avoid sharing sensitive or personal information about yourself online. This is a general, all-around good cyber security best practice. The online world, including social media sites, provides cybercriminals with information they can use to guess insecure passwords.
• Enable (2FA) two-factor authentication on your accounts. Two factor authentication, which is a form of multi-factor authentication, adds another layer of security to your account.
• Maintain current employee access lists. Be sure to remove old, unused or otherwise unmaintained accounts of former employees. Leaving these accounts active widens your organization’s attack surface with regard to password based attacks.
• Encrypt your sensitive data. Use System admins should make sure that systems are encrypted using high standard encryption such as 256-bit.
• Don’t store plaintext passwords. Ensure that all passwords are hashed before they are stored in your database. To make these password hashes more secure, be sure to add a salt (a random integer) to your password prior to hashing it.
• Use an intrusion detection system (IDS). This type of system allows you to monitor your IT systems and network in real time to identify threats.
• Set limits on how many times a user can try to log in. For instance, if a user enters the wrong password more than three times, the account could be locked for a set period of time.
• Throttle repeated login attempts. Once a login attempt fails, a timer could be activated for a short period (a few hours or so). During that time, the user must not be able to access the account.
• Require a CAPTCHA after repeated failed login attempts. This provides an additional layer of security and protects your web apps against bot-based brute force attacks.
• Use an IP blocklist or allowlist (blacklist or whitelist). Using a blocklist enables you to block attacks from known dangerous IP addresses or login attempts from attackers within specific geographic regions. A whitelist, on the other hand, is a way to specify which IP addresses (or ranges of IP addresses) you want to allow to login to your site or services.

3. Password Spraying Attacks

In a password spraying attack, also called the ‘low-and-slow’ method, the attacker uses a single commonly used password, like 12345 or Password123, to attempt to gain access to all the accounts on their list. They try it against a list of usernames to see if any match. After trying the password with all the usernames, they move on to the second password, then the third, and so on, repeating the process as they go.

So, for instance, if the attacker has a list of 100 different account usernames, the first password might work for one account, and the 99 other accounts won’t be locked as there were no multiple failed login attempts — so they’re free to try the next password. With the security measures listed above for brute force attacks in place, the targeted account would be locked due to multiple failed passwords attempts.

Attackers often use password spraying attack techniques to gain access to cloud-based applications and SSO (Single Sign-On) based applications that use protocols like federated authentication. 

Steps to Prevent Password Spraying Attacks

Here are some steps you can take to prevent password spraying attacks:

• Employ multi-factor authentication (MFA). Enable this on all user accounts.
• Use strong passwords or passphrases. Complex passwords are a combination of upper- and lower-case letters, numbers, and special symbols (like *, ! or %). Strong passphrases, which are more secure, are combinations of 3-5 random words like CrackleDazzleCandlemaker. They’re better because passphrases are easy for you to remember and hard for bad guys to guess.
• Review your password management system regularly. Ensure that everything is updated and that your current list of users is accurate.
• Provide cyber awareness training to all network users. This type of security training helps to sharpen the cybersecurity skills and awareness of your employees.
• Make sure you have proper policies and procedures in place. This includes having user lockouts and password resets procedures documented.

4. Dictionary Attacks

A dictionary attack is an attack where hackers break into account by trying random words that can be found in a dictionary as a password. They’ll often make small changes to those words — perhaps, adding symbols and/or numbers to them to find similar passwords — until they find a match. Sometimes, hackers also use dictionary attacks to find the necessary key to decrypt an encrypted file or message.

It’s a standard attack method with a high success rate. Unfortunately, many users don’t follow their organizations’ secure password policies and use ordinary, easy-to-crack passwords. Hackers exploit this, using a script that rotates through common words to find matches.

Dictionary attacks rely on the psychology of the targets. For example, users often choose a short password based on commonly used words like sports team names, pet names, or terms commonly found in a dictionary. This type of password based attack starts with trying these words and adding variations like replacing letters with numbers or adding numbers.

Steps to Prevent Dictionary Attacks

Some common steps that can help you avoid this type of attack are as follows:

• Set login limits for accounts. Limit multiple logins attempts within a certain period
• Avoid using common words or sports names as passwords. Make your passwords unique and hard to guess.
• Use CAPTCHA to prevent automated logins. This helps you prevent automated botnet login attacks.

5. Credential Stuffing Attacks

Credential stuffing is a login attack where hackers use the organization’s stolen login credentials, often purchased from the dark web or shared on another online forum, and try to access other accounts within the organization. Likewise, attackers use a combination of different passwords and usernames they’ve gained through data breaches that they’ve carried out themselves.

Steps to Prevent Credential Stuffing Attacks

Steps we recommend to avoid this type of login attack:

• Don’t recycle or reuse passwords. Avoid using the same passwords for multiple accounts. Instead use a password manager to store different passwords for different accounts.
• Enable multi-factor authentication (MFA). This extra layer of security helps to prevent credential stuffing attacks because users are required to provide an additional authentication factor as part of the log in process.
• Only store salted password hashes. Hash your password before you store it within your database. This way, hackers can’t get use password cracking techniques like hash tables and rainbow table attacks to try to figure out your original password input.

6. Keylogger Attacks

As the name implies, a keylogger attack is an attack where an attacker logs the user’s keystrokes. In other words, it records all the input that comes from a keyboard without the user’s knowledge. An attacker can utilize software or hardware to perform a keylogger attack. Software keyloggers are often installed by hackers getting users to click on malicious links or open attachments.

Steps to Prevent Keylogger Attacks

• Only download legitimate software from trusted sources. Avoid downloading and installing software applications from untrustworthy websites or third-party app stores as they may be infected with malware.
• Use unique passwords for all accounts. Never reuse the same password across multiple accounts. This way, if an attacker gets ahold of one account’s password, they can’t use it to try to access your other accounts.
• Set user profiles with minimal privileges. A principle of least privilege is a good way to reduce your attack surface because it entails only giving users access to what they need to do their jobs. If users only have access to select systems, it reduces the likelihood of attackers gaining access to sensitive systems.

7. Rainbow Table Attacks

Hackers try to use a rainbow table attack to crack unsalted passwords that are stored within a database. A rainbow table attack is a complex tactic involving an attacker creating “chains” of password-hash that they can use to link back to an original hash function. The advantage of this type of attack is that they’re effective for cracking complex passwords (relatively) quickly because they involve a lot of preparatory work ahead of time.

Steps to Prevent Rainbow Table Attacks

Salting your passwords prior to hashing them is the chief way to prevent rainbow table attacks. Don’t use the same salt for all passwords — use a unique, unpredictable salt for each one. A salt is an unpredictable element and prevents an attacker from creating an effective rainbow table in advance. According to McAfee, you’ll want the salt value to be the same as the hash output.

Wrapping Up on Password Based Attacks

An organization should understand that password based attacks are widespread and that relying on single-factor authentication makes your company vulnerable to attack. Therefore, it’s recommended that you:

• Follow proper protocols,
• Understand the different types of login attack mentioned above, and
• Take steps to prevent them.