How to stop different types of password attacks
(Last updated on November 19, 2019)
What makes users and organizations vulnerable to password attacks? A recent study indicates that user’s perceptions of password security might not always match reality. Many of us overestimate the benefits of including digits or special characters in our passwords, and underestimate large scale guessing attacks, or the implications of password reuse. In this blog, you will find the most common password attacks along with recommendations that can strengthen password security.
Social engineering attack
The social engineering attack is a targeted method that preys on human behavior. The tactic can be as simple as using readily available user information from one account, to break into another account. Consider the steps that are taken when a password is forgotten – how is your identity verified prior to a password reset? The most common method is through the use of security questions. For example: Where did you attend high school? In the age of social media, the answer is just a search away.
Social engineering is extremely common during the password reset process, and often successful with security questions. Eliminating the opportunity for user impersonation, and the single point of failure, can be done with two-factor authentication (2FA).
Large-scale guessing attacks use a trial and error method, generating a large quantity of password guesses, until the right one is found. In a brute-force attack, the character types within a password are called upon to guess every possible password in a theoretical password space. The main character types include:
• Lower case alpha (a, b, c)
• Upper case alpha (A, B, C)
• Numeric (1, 2, 3)
• Special (!@#)
In addition to the character types, other brute-force parameters must be defined, including:
• Password hash type
• Minimum password length
• Maximum password length
The attack takes all possible permutations of the chosen characters, and develops passwords that range from the minimum to maximum password length. With the character combinations generated, the tool produces the hash from each password, and compares it to the password hash obtained from the computer. If there is a match, the password from the brute-force permutation is the password used by the user of the computer.
To stand up to this attack, passwords must overcome the standard structure and character profile. The task not only falls on users, but also on organizations. Password policies should support passphrases which are not only stronger, but easier for users to remember.
The dictionary attack uses a pre-compiled or computerized list of high-probability passwords to uncover target passwords. The dictionary is not necessarily limited to common names and words. Attackers search for predictable patterns in user behavior, including character substitutions, leetspeak, and popular compositions. They use various dictionaries with foreign words, and lists obtained from data breaches. The attack cycles through thousands of passwords at a time, comparing the hash of each guess, with the hash of the target password. The effectiveness of the dictionary attack is the dictionary itself.
Hackers are not the only ones who can take advantage of user predictability. The best protection against a dictionary attack is using a dictionary during the password creation process. Future passwords will be checked against the dictionary, preventing users from selecting passwords that are susceptible to attacks.
Without dictionary enforcement, the responsibility falls on users, and it is not always enough to have a strong password. Account names and passwords exposed in one breach are commonly tested against other systems. With a single breach opening the door to a multitude of other systems, including sensitive corporate data, the threat to exposure hinges on password reuse.
Better password defenses
It is time to redefine our standard password defenses. A new approach requires user-friendly authentication systems with two-factor authentication, passphrases, and dictionary enforcements. Organizations can use Specops Password Auditor (Free) to review their existing password policies against various password attacks.