Password attacks are among the most common causes of data breaches at the corporate and individual levels, with 81% of such incidents in 2020 being due to these attacks successfully compromising user credentials. A password attack generally entails hackers trying to steal user passwords, but it can also mean using other, more direct means, like trying to guess the right combination.
Maintaining account security through passwords alone is generally no longer sufficient since they can only contain so many numbers and letters, hence the rise of multi-factor authentication and additional protection layers. With that said, good password hygiene remains a must in any password-based security approach and is a crucial step in making your organisation cyber-aware. Here are the four cyberattacks it helps to deter.
1. Brute force attack
One way of thinking about passwords is that they are a key that locks a door from everyone save for the one person or user that has it. A brute force attack does away with subtle methods to open that door and, as its name implies, goes for a more direct approach of busting it open. In this case, hackers can try out billions of password/username combinations within seconds, thanks to modern computing power. Having a simple password makes their attempt more likely to succeed.
This is where using a complex password makes it difficult for them. By having a variety of alphanumeric characters and symbols in your password, its complexity increases and drastically reduces the success rate of brute force attacks. When paired with other security features like limited login attempts and MFA, brute force attacks can virtually be prevented altogether.
2. Password spraying
Password spraying falls under the category of brute-force attacks, as hackers gain account access by matching a username to a password with the help of automation tools. This kind of attack avoids modern security protocols like the limited login attempts mentioned by matching passwords on various accounts on a single domain until a valid combination is found. Since it focuses on users within a particular domain, its go-to targets are organisations that use standardised usernames, like firstname.lastname@example.org. By collating a list of commonly used weak passwords, attackers can potentially access numerous accounts in a single attack.
3. Dictionary attack
A dictionary attack is a variation of a brute force attack that exploits people’s tendency to choose basic and easily memorable words for their passwords, many of which are now put together in “cracking dictionaries”. Sophisticated dictionary attacks involve learning about the target user and what is important to them, such as their pets, family, birthplace, etc. Thus, it is vital to avoid using easily guessable dictionary words or words derived from those personally important to you when setting passwords.
4. Credential stuffing
Credential stuffing is an attack that involves hackers using lists of breached login credentials to gain unauthorised access. It leverages automation and works on the presumption that most people today reuse their login credentials across multiple accounts and services. According to statistics, around 0.1% of compromised credentials attempted on a different domain or service will lead to a successful login.
In modern web apps with basic security measures, credential stuffing is more likely to succeed than brute force attacks. This is because even though users pick a strong password, reusing it across services effectively diminishes its advantage.
Observing good password hygiene means choosing strong passwords for every account, never reusing them anywhere, being careful when entering those passwords, and using multi-factor authentication where possible.
Should your organisation ever need the help of a reputable IT outsourcing company in Singapore, TYPENT is the one you can trust. As a leading one-stop IT outsourcing services provider with years-long experience in the industry, we have the necessary expertise and technologies to carry out the support services that keep your business operations running at full speed. In addition to our technological solutions, we also provide exceptional security products such as Trend Micro Business Antivirus Email Protection and Endpoint Security.
Feel free to contact us today for more information or if you have any enquiries.