The 10 most common password attacks and how to stop them


There is no question that passwords are one of the weakest links in many organizations’ overall cyber security. Unfortunately, passwords are under constant attack, as they are arguably one of the easiest ways for hackers to break into your environment. To better understand how to protect passwords in your environment from attacks, let’s look at the top 10 password attacks and what your organization can do to prevent them.

The 10 most common password attacks and how to stop them

Here are the top 10 password attacks and countermeasures organizations can take to prevent them from leading to network compromises and the loss of business-critical data.

  1. Brute force attack
  2. dictionary attack
  3. password spray
  4. Credential stuffing
  5. phishing
  6. Keylogger attack
  7. Social Development
  8. reset Password
  9. Old-fashioned theft
  10. Password reuse

1. Brute force attacks

A brute force attack is a simple password attack performed by hackers when attempting to gain access to a network using large lists of common or compromised passwords. Even a “gaming” class computer with today’s powerful CPU power can “guess” billions of passwords every second. It proactively attempts to “force” guess the password for legitimate user accounts.

2. Dictionary attack

A dictionary attack is a brute force hacking method described above that uses large databases of common passwords as a source, similar to a dictionary. It is used to break into password protected assets by entering each word into a dictionary and derivatives of those words known as leetspeak and previously leaked passwords or key phrases. For example, hackers know that users often replace words with numbers and letters. An example is the password [email protected]$$w0rd.

  • Prevention Steps – Block password length/passphrases over 20 characters, incremental/common patterns, password protection, custom dictionary, MFA.
  • A dictionary attack was used on January 4, 2009 by a hacker known only as GMZ to compromise an administrator account and then change the passwords of known accounts including President-elect Barack Obama, Britney Spears and others.

3. Password spraying

A password spray attack avoids detection or suspension of a single account by attempting to use one or two common passwords across many different accounts, services, and organizations. Attackers use this method to bypass the account lockout threshold, which in many organizations can be set to three to five false attempts.

By attempting to use just one fewer password than the lockout threshold, the attacker can successfully try many passwords across the organization without being stopped by the default protections in Active Directory. The attacker chooses passwords that are commonly used by end users, mathematical formulas to guess passwords, or uses breached passwords already revealed in password dumps online.

4. Credential stuffing

Credential stuffing is an automated hack that throws stolen username and password combinations into the login process to break in. The credentials can come from large databases of real hacked accounts and passwords that are (unfortunately) easily available online. With a success rate of up to 2%, credential stuffers are responsible for more than 90% of all login traffic on many of the world’s largest websites and for a number of second-hand data breaches.

5. Phishing

Phishing is an ancient attack that has been in use for decades. However, surprisingly, regardless of its age, it is still very effective. Phishing attacks aim to manipulate people into taking actions or divulging sensitive information, and are often attempted via email. For example, attackers impersonate legitimate organizations or services to trick users into revealing account information.

Other phishing emails use “urgency intimidation” tactics to trick users into revealing information quickly. An email may contain phrases such as “urgent your account has been breached”. Attackers play on end-user emotions, tricking users into revealing information they believe they are protecting. In organizations that use personal devices, cybercriminals can use these phishing tactics to trick end users into revealing their corporate credentials.

  • Prevention steps – cybersecurity awareness training, MFA, email banner configuration, mail server configuration (DKIM, SPF, etc.)
  • A series of spear phishing emails sent to Sony employees ended in the theft of more than 100 terabytes of company data, including newly released files, financial records and customer details.

6. Keylogger attack

A keylogger attack is used to log sensitive information such as entered account information. This can be both software and hardware. For example, spyware can record keystrokes to steal a variety of sensitive information, from passwords to credit card numbers. If an attacker has physical access to an end user’s computer, a physical hardware device can be placed in line with the keyboard to record keystrokes typed.

7. Social engineering

Social engineering encompasses a range of malicious activities to manipulate people into taking actions or revealing sensitive information, including phishing, vishing, social media, baiting, and tailgating. For example, phishing attacks are a form of social engineering in which attackers trick you into giving them sensitive information, such as passwords, banking information, or control of your computer or mobile device.

Social engineering generally attempts to exploit the natural tendencies of human nature. In general, it is much easier for an attacker to trick you into giving you your password information than it is to hack a password through other means.

  • Prevention measures – awareness training, safe MFA methods, e.g. no secret questions
  • The famous 2011 RSA SecurID social engineering attack consisted of two separate phishing emails that tricked employees into opening an Excel document to install a backdoor. This led to the compromise of RSA SecurID tokens.

8. Reset password

A password reset attack is a classic social engineering technique to gain access to a network by calling the service desk, impersonating someone else and requesting a new password. The hacker just has to convince the service desk staff to give them the new password instead of trying to guess or crack it. It’s especially a danger for larger organizations where helpdesk staff may not know all employees personally. It’s also becoming much more common as the workforce moves to a hybrid or fully remote model – since verifying end-users isn’t as easy as saying hello in person.

  • Prevention – Helpdesk verification/MFA, awareness training, self-service password reset (SSPR) with MFA
  • The MitM password reset attack is very simple and effective as several studies have shown.

9. Old-fashioned theft

Writing down passwords is a common and very dangerous activity. The classic “Master Password Post-it” stuck to the monitor can easily become a full-scale cybersecurity breach. Enforcing complexity in passwords can lead users to write them down. Using passphrases is a better option for memorable passwords that don’t need to be documented and exposed to prying eyes. If your end users are juggling multiple passwords for mission-critical systems, use a password manager. Sticky notes on a monitor or desk are a big no-no.

10. Password Reuse

Password reuse often leads to compromised systems. Research shows that over 70% of employees reuse passwords at work. Sharing passwords between personal and corporate accounts leaves your network vulnerable to accounts. If the hobby forum you registered for is hacked and you use the same password in a corporate account, your password will end up on the dark web and corporate systems will quickly become vulnerable.

Gain insight into your top password risks with Specops Password Auditor

Specops Password Auditor is a free password audit tool that scans your Active Directory environment to identify password-related vulnerabilities and checks your existing password policies against high-level regulatory compliance recommendations. There are 14 focus areas in total with an exported PDF of all the obvious issues and their resolution. Specops recently integrated a password age report into Specops Password Auditor to enable IT admins to effectively discover the age of passwords in their environments.

Below, Specops Password Auditor dashboard quickly shows password risks in Active Directory.

Specops Password Auditor enables the detection of password risks in your Active Directory environment
Specops Password Auditor enables the detection of password risks in your Active Directory environment

In our commitment to cybersecurity for all, we keep Specops Password Auditor completely free and a read-only tool – meaning we do not collect any information whatsoever from its use. You can always get it here in your AD.

Sponsored by Specops


About Author

Comments are closed.