What is it?
Password attacks can be carried out in many different ways, yet share the same end goal of trying to steal passwords in order to gain access to sensitive information. In this blog post we’re going to run through some of the most common ways in which hackers try and steal passwords. These are brute force attacks, dictionary attacks and key logger attacks. Hackers can also use Man in the Middle attacks
to secure passwords too, so check out our previous cyber security spotlight to learn more about this method right now.
How does it work?
Key logger attacks
A key logger attack is a relatively sophisticated method of trying to steal passwords. It works by the hacker installing software that records a user’s keystrokes. This allows the hacker to gather everything from usernames and passwords, to the website where the information was entered. In this scenario, the hacker needs the user to fall victim to them twice, once to install the software and then again when the password is stolen. It is this type of attack where strong passwords offer the least protection.
Brute force attacks
As the name suggests, a brute force attack simply uses a program to generate likely passwords to try and access someone’s password protected files. Typically, it will start by trying weak passwords such as password123. This may sound relatively crude but while ever people continue to dismiss advice around creating strong passwords, this type of attack will continue to be effective for hackers.
A dictionary attack is similar to a brute force attack however in this case, hackers take advantage of the fact that passwords tend to include common words. As a result, hackers will try combinations of these common words with numbers before or after them, in order to try and find a successful combination.
How can you protect against it?
Key logger attacks aside, it is always beneficial to create a strong password for any applications or websites you use regularly and that contain sensitive information. A strong password generally requires a mix of upper and lowercase letters, numbers and special characters. Where possible avoid common words as well to try and limit the effectiveness of dictionary attacks.
As a business is it also very important to make sure your staff are educated around the types of password attacks out there and are aware of social engineering tactics hackers may also use, to try and get users to disclose passwords via email or over the phone.
On top of this, it is always advisable to back up strong passwords with functionality such as two-factor or multi-factor authentication and single sign on (SSQ). Single sign on helps eliminate passwords altogether by allowing employees to use one set of credentials to login in to all their apps and websites. On the other hand, multi-factor authentication requires an additional piece of information, such as a pin, in order to login in to key sites and apps.
Previous examples of password attacks…
Arguably the largest brute force password attack to happen in recent years affected GitHub. This attack also proved to be quite successful as not just one account was comprised but several. During the attack, experts were able to identify brute force login attempts from over 40,000 unique IP addresses, so this demonstrates the scale these kinds of attack can take. Read about even more examples of brute force password attacks just here
So, there you have it, a mini overview of password attacks and how to avoid them. If you think your business needs better cyber security
don’t rest on your laurels, contact our team