Passwords have always been a favorite target among hackers, so it is important for IT security pros to be familiar with the types of password attacks that are used most often. Although there are any number of different ways in which a password system could potentially be exploited, there are three password attack methods that tend to be used more commonly than others.
1. Brute Force Attacks
A brute force attack is easily one of the oldest types of password attacks. It involves using a script to try all of the possible password combinations. The technique is a bit like opening one of those old bicycle chains with a combination lock when you have forgotten the combination. By spinning the wheels, you can try every possible combination and will eventually get the lock open.
The most important thing that organizations can do to prevent this type of password attack is to use an account lockout mechanism. That way, if an attacker does attempt a brute force password attack, accounts will be locked before the attack can succeed. It is worth noting, however, that there have been situations in which an attacker has leveraged the account lockout feature in a denial of service attack. The idea is that an attacker purposely enters incorrect passwords multiple times for a large number of accounts in an effort to make it difficult for users to login.
Another thing that organizations should be doing to prevent brute force password attacks is to physically safeguard domain-joined Windows systems. If attackers have physical access to a domain-joined system, they may be able to download a copy of the Windows Security Account Manager (SAM), which contains password hashes for the accounts on the machine. An attacker can then use rainbow tables or a brute force attack against the SAM that they have downloaded, thereby giving them the opportunity to crack the password without having to worry about accounts being locked out.
It has often been suggested that one of the best ways to prevent brute force password attacks is to require really long passwords. The idea behind this philosophy is that computing power is limited, and brute force attack could conceivably take years (or much longer) to crack a sufficiently long password.
While it is generally a good idea to require the use of long passwords, long passwords alone will not completely deter a brute force attack. One common practice, for example, is to combine brute force attacks with a dictionary attack. The cracking process begins by using a brute force attack that is designed to try every possible password combination up to a certain length of password (usually four to six characters). After that, the software resorts to using dictionary words to crack any passwords that were not discovered through brute force.
Another way that attackers sometimes make brute force password attacks more effective is to find out an organization’s minimum required password length, and then use that knowledge when designing the attack. If, for example, an attacker learns through social engineering that an organization requires a minimum password length of eight characters, then the attacker doesn’t have to waste his or her time trying to crack passwords that are seven characters or less. This means that the attacker can eliminate a huge number of possible passwords right off the bat, dramatically shortening the time it would take to successfully perform a brute force crack.
2. Credential Stuffing Attacks
A second, very commonly used password attack is a credential stuffing attack, in which hackers exploit the fact that most users have multiple accounts and tend to use the same user name and password for each. Hackers attack websites known to have weak security in an effort to access the sites’ account databases. Once attackers successfully breach a site, they will use stolen credentials on as many sites as possible.
One of the best ways to prevent credential stuffing password attacks is by using third-party software that automatically assigns users a long and random password. That way, you can be assured that passwords have not been used on other systems.
In recent months, several of the major tech corporations have reversed course on the long-standing best practice of forcing periodic password changes and are recommending that organizations no longer require users to periodically change their passwords. One of the problems with this, however, is that if users get comfortable with the long and complex password they use at work, there is a good chance that they will reuse the same passwords on other systems, thereby opening up the potential for a credential stuffing attack to be used against your organization.
One way of getting around this problem is to use non-password-based authentication, or to use passwords as a part of a broader multifactor authentication system.
3. Password Spray Attacks
A password spray attack is based on the idea that some passwords tend to be popular. For example, there are a lot of people who create passwords based on the name of their favorite sports teams. Because hackers know which passwords tend to be popular, they will try using those passwords against a large number of accounts. They do this slowly enough that they are usually able to avoid account lockouts.
In some ways, a password spray attack is essentially just an attack that is based on guessing passwords. The hackers are counting on the idea that some people will inevitably use passwords that are easy to guess. Again, the best way of countering this type of attack is to either use passwords as a part of a multifactor authentication system, or to begin migrating to an authentication mechanism that is based on something other than passwords.