Password attacks involve exploiting a broken authorization vulnerability in the system combined with automatic password attack tools that speed up the guessing and cracking of passwords. The attacker uses various techniques to access and expose the credentials of a legitimate user, assuming their identity and privileges. The username-password combination is one of the oldest known account authentication techniques, so adversaries have had time to craft multiple methods of obtaining guessable passwords. Additionally, applications that use passwords as the sole authentication factor are vulnerable to password attacks since the vulnerabilities are well understood.
Password attacks have far-reaching consequences since malicious users only require unauthorized access to a single privileged account or a few users' accounts to compromise the web application. Depending on the data hosted by the application, compromised passwords can pave the way for exposure of sensitive information, distributed denial-of-service, financial fraud, and other sophisticated attacks.
Types of Password Attacks
Hackers typically rely on different techniques to obtain and authenticate with a legitimate user’s password. These include
Phishing Attacks
DNS cache poisoning – Attackers leverage vulnerabilities in the application’s DNS server to redirect user requests to a malicious site with a similar-looking domain name.
URL hijacking/typosquatting – The attacker creates a genuine-looking URL with subtle differences from the website they want to impersonate. The attack then depends on users making typing mistakes, so they land on the malicious page.
Tabnabbing – The attacker rewrites unattended browser tabs with malicious sites that look like legitimate web pages.
UI redressing/iFrame overlay – The attacker places a link to the malicious page over a legitimate, clickable button using transparent layers.
Clone phishing – In this attack, the attacker sends a copy of a legitimate email where the links within the original email are replaced with URLs to malicious sites.
Brute-Force Password Attacks
This type of password attack employs trial-and-error methods to guess a user’s authentication information. The bad actor uses automated scripts to work through as many permutations as possible to guess the user’s password correctly. While it is a relatively old method that requires a lot of patience and time, a Brute force attack is still standard in account breach attempts since they are automated and straightforward. There are several types of brute force attacks:
Dictionary Password Attacks
Password Spraying Attack
In this type of attack, the hacker attempts to authenticate using the same password on various accounts before moving to another password. Password spraying is most effective since most website users set simple passwords, and the technique doe not violate lockout policies since it uses several different accounts. Attackers mostly orchestrate password spraying in websites where administrators set a standard default password for new users and unregistered accounts.
Keylogging
Password Attack Example
How to Prevent Password Attacks
Some best practices to prevent password attacks include:
Enforce strong password policies
Security administrators must enforce policies that ensure users follow set criteria to prevent malicious actors from cracking their passwords. For example, the password should be a minimum of 8 characters long and include special characters to avoid brute force attempts. Additionally, passwords should not contain any personally identifying information, as this may foster dictionary attacks. Users should also use unique passwords for each service and rotate the passwords frequently to prevent attackers from using exposed credential databases for password attacks.
Organization-wide password security training
It is vital to ensure every user understands the criticality of a strong password policy and follows the organization-wide awareness on password security. Additionally, every application user should be aware of social engineering attacks that trick them into submitting their credentials to malicious third parties
Enable Multifactor Authentication
Passwords in themselves generally do not offer a complete user authentication solution. Multifactor authentication involves the use of passwords in combination with extra security checks. Some MFA implementations include the One-Time Password (OTP), biometric authentication, software tokens, and behavioral analysis.
Use a password manager
The primary function of a password manager is to help web administrators store and manage user credentials. Password management solutions also generate passwords for users following strong policies and best practices. In addition, these tools store user credentials in strongly encrypted databases, making them robustly secured from exposure in a data breach.
FAQ
What are the differences between broken authentication and password attacks?
Broken authentication encompasses a collection of vulnerabilities that allow hackers to assume the identity of an application’s legitimate user. These weaknesses often arise due to poor session and credential management. On the other hand, password attacks involve strategies orchestrated by exploiting credential management vulnerabilities, granting the attacker access to a use