Password attack is a common attack vector used to bypass or exploit authentication of user accounts. As one of the most common application security threats, password attacks accounted for more than 81% of data breaches in 2020. This article teaches what a password attack is, different types of such attacks, and best practices to prevent them in modern applications.
Don’t have time to read? Listen to this blog post instead.
Password Attack Definition
Password attacks involve exploiting a broken authorization vulnerability in the system combined with automatic password attack tools that speed up the guessing and cracking passwords. The attacker uses various techniques to access and expose the credentials of a legitimate user, assuming their identity and privileges. The username-password combination is one of the oldest known account authentication techniques, so adversaries have had time to craft multiple methods of obtaining guessable passwords. Additionally, applications that use passwords as the sole authentication factor are vulnerable to password attacks since the vulnerabilities are well understood.
Password attacks have far-reaching consequences since malicious users only require unauthorized access to a single privileged account or a few user accounts to compromise the web application. Depending on the data hosted by the application, compromised passwords can pave the way for exposure of sensitive information, distributed denial-of-service, financial fraud, and other sophisticated attacks.
Types of Password Attacks
Hackers typically rely on different techniques to obtain and authenticate with a legitimate user’s password. These include:
By far the most common form of password attack, a phishing attack involves a social engineering technique in which the hacker masquerades as a trusted site by sending the victim a malicious link. After assuming they are authenticating to a legitimate web server, the victim clicks on this link, providing the attacker with their account credentials. Besides identity theft, phishing attacks also foster Advanced Persistent Threats by allowing the threat actor to gain permissions of an internal user, thereby allowing the attacker to compromise more profound components of the system while remaining undetected. In phishing attacks, adversaries commonly use multiple methods to trick the user into clicking the malicious link, including:
1. DNS cache poisoning – Attackers leverage vulnerabilities in the application’s DNS server to redirect user requests to a malicious site with a similar-looking domain name.
2. URL hijacking/typosquatting – The attacker creates a genuine-looking URL with subtle differences from the website they want to impersonate. The attack then depends on users making typing mistakes, so they land on the malicious page.
3. Tabnabbing – The attacker rewrites unattended browser tabs with malicious sites that look like legitimate web pages.
4. UI redressing/iFrame overlay – The attacker places a link to the malicious page over a legitimate, clickable button using transparent layers.
5. Clone phishing – In this attack, the attacker sends a copy of a legitimate email where the links within the original email are replaced with URLs to malicious sites.
Brute-Force Password Attacks
This type of password attack employs trial-and-error methods to guess a user’s authentication information. The bad actor uses automated scripts to work through as many permutations as possible to guess the user’s password correctly. While it is a relatively old method that requires a lot of patience and time, a Brute force attack is still standard in account breach attempts since they are automated and straightforward. There are several types of brute force attacks:
1. Simple brute force attacks – A hacker uses logic and data about a user to guess the most likely password. This technique is used for relatively simple passwords, such as those containing a combination of pet name-year and birth.
2. Credential stuffing – This involves using previously exposed login combinations that were maliciously obtained across vulnerable websites. In such attacks, hackers typically take advantage of the fact that entities tend to re-use their username-password combinations across multiple services.
3. Hybrid brute force attacks – An attacker combines simple weak password-guessing with automated software that performs credential stuffing to uncover complex passwords. In most production systems, entities use slight variations of passwords across different websites. Attackers also rely on user data patterns across services to improve the accuracy of credential stuffing tools.
4. Reverse brute force attacks – In this form of attack, a hacker starts with a known password then searches for usernames that match it. As threat actors often have access to multiple databases of leaked credentials, it is easy to identify common passwords within a particular group of users.
Dictionary Password Attacks
This attack method uses a predefined list of words most likely to be used as passwords by a specific target network. The predefined list is built from a website user’s behavioral patterns and passwords obtained from previous data breaches. The lists are created by varying common combinations of words by case, adding numeric suffixes & prefixes, and using common phrases. These lists are passed to an automated tool, which attempts to authenticate against a list of known usernames.
Password Spraying Attack
In this type of attack, the hacker attempts to authenticate using the same password on various accounts before moving to another password. Password spraying is most effective since most website users set simple passwords, and the technique doe not violate lockout policies since it uses several different accounts. Attackers mostly orchestrate password spraying in websites where administrators set a standard default password for new users and unregistered accounts.
While orchestrating a Keylogging attack, a hacker installs monitoring tools in the user’s computer to record the keys struck by the user covertly. A keylogger records all information that users type into input forms and then sends it to the malicious third party. While keyloggers often have essential uses in enterprise settings (UX improvement, employee monitoring, etc.), attackers often use them to extract information such as login credentials for unauthorized access maliciously.
Password Attack Example
One of the most common examples of a phishing password attack involves lying to the victim that their account will be deactivated if they do not confirm their login details.
Assume the user utilizes services from a website with the URL: http://darwin.com
The attacker crafts phishing emails to the users, informing them that their account has been compromised and their credit card and login details are needed to retain the account. The email includes a link similar to: http://darw1n.com/confirm-details, pointing to the hacker’s malicious website. The victim clicks on this link and is redirected to the fake confirmation page, where they supply their legitimate login credentials. The hacker then collects these credentials and uses them to access the victim’s legitimate account.
How to Prevent Password Attacks
Some best practices to prevent password attacks include:
Enforce strong password policies
Security administrators must enforce policies that ensure users follow set criteria to prevent malicious actors from cracking their passwords. For example, the password should be a minimum of 8 characters long and include special characters to avoid brute force attempts. Additionally, passwords should not contain any personally identifying information, as this may foster dictionary attacks. Users should also use unique passwords for each service and rotate the passwords frequently to prevent attackers from using exposed credential databases for password attacks.
Organization-wide password security training
It is vital to ensure every user understands the criticality of a strong password policy and follows the organization-wide awareness on password security. Additionally, every application user should be aware of social engineering attacks that trick them into submitting their credentials to malicious third parties.
Enable Multifactor Authentication
Passwords in themselves generally do not offer a complete user authentication solution. Multifactor authentication involves the use of passwords in combination with extra security checks. Some MFA implementations include the One-Time Password (OTP), biometric authentication, software tokens, and behavioral analysis.
Use a password manager
The primary function of a password manager is to help web administrators store and manage user credentials. Password management solutions also generate passwords for users following strong policies and best practices. In addition, these tools store user credentials in strongly encrypted databases, making them robustly secured from exposure in a data breach.
What are the differences between broken authentication and password attacks?
Broken authentication encompasses a collection of vulnerabilities that allow hackers to assume the identity of an application’s legitimate user. These weaknesses often arise due to poor session and credential management. On the other hand, password attacks involve strategies orchestrated by exploiting credential management vulnerabilities, granting the attacker access to a user’s password or security credentials.
This article has already been published on https://crashtest-security.com/password-attack/ and has been authorized by Crashtest Security for a republish.