If we could sum up our message at Secret Double Octopus, it would be that password authentication is outdated and dangerous.
While the general risks of weak authentication are well known, often users don’t quite understand the full implications of this threat.
We, therefore, decided to use this post to provide a more comprehensive overview of all the vulnerabilities of passwords–and how our passwordless authentication solutions prevent them.
Password spraying
What is Password spraying?
Password spraying is an attack that attempts to access a large number of accounts (usernames) with a few commonly used passwords. Learn More
Well known instances of Password Spraying attacks:
The Citrix Breach
Dubai School Network
How Do we prevent Password Spraying?
Password spraying relies on the use of common and generic passwords–unfortunately a practice that remains widespread till today. By removing the use of passwords, Secret Double Octopus renders an account immune to this hack.
Credentials stuffing
What is Credential stuffing?
Credential stuffing is a type of cyberattack where stolen account credentials, typically consisting of lists of usernames and/or email addresses and their corresponding passwords are used to gain unauthorized access to user accounts. Using a program called an ‘account checker’, hackers activate large-scale automated login requests directed against a slew of web applications. Learn more here and here. Learn more Learn More 2
Well known instances of Credential Stuffing attacks:
HSBC Breach
Collection 1
Spotify
How do we prevent Credential Stuffing?
Password spraying typically relies on user-generated passwords that were obtained from large breaches. Secret Double Octopus removes user-generated passwords, and in turn, the risk of credential stuffing.
Spear Phishing
What is Spear Phishing?
Phishing hacks are a form of cyberattacks designed with the aim of getting a user to divulge compromising information. As its name would imply, Spear Phishing is a targeted attack against a particular user or set of users, based on their unique profile. Spear phishing messages are tailored to the targets in an effort to convince them the communications are legit. This is usually done by acquiring personal details on the victim such as their friends, hometown, employer, locations they frequently visit, or what they have recently bought online. The attackers then disguise themselves as a trustworthy friend or entity and attempt to extract sensitive information, typically through email or other online messaging.
To date, Spear phishing is the most successful form of acquiring credentials and other sensitive data via the internet, accounting for 91% of all attacks. Learn More
Well known instances of Spear Phishing attacks:
How does Secret Double Octopus prevent Spear Phishing?
Spear phishing attacks rely on fraudulent communications, usually in the form of emails following a Business email compromise (BEC) incident. When using Secret Double Octopus, users are never prompted to reset or update passwords, meaning users will know that any such request is an attempt by a cybercriminal. Secret Double Octopus both removes the credentials target and negates the mechanism by which Spear Phishing works.
Brute Force Attack and Offline Cracking
What is a Brute Force Attack?
Brute force attacks involve repeated login attempts using every possible letter, number, and character combination to guess a password.
An attacker using brute force is typically trying to guess a user, or an administrator password or a password hash key.. Guessing a short password can be relatively simple, but that isn’t necessarily the case for longer passwords or encryption keys—the difficulty of brute force attacks grows exponentially the longer the password or key is.
What are some examples of Brute Force attacks?
What is Offline Cracking?
Offline Password Cracking is an attempt to extract one or more passwords from a password storage file that has been recovered from a target system. Typically, this form of cracking will require that an attacker has already attained a high level of access to a system, in order to gain access to the necessary file. Once the hackers gain access to the stored passwords, they are able to move freely through a wide range of network accounts.
Well known instances of Offline Cracking
How does Secret Double Octopus prevent Brute Force Attacks and Offline Cracking?
Both of these attacks rely on breaching access to credentials. Hackers target systems that rely on passwords as a first factor. There are many cases in which hackers capitalize on weak communication protocols connecting networks to servers and use these methods to bypass MFA. Secret Double Octopus does not use passwords as a first factor of authentication, thereby preventing brute force attacks.
Rainbow table attacks
What is a Rainbow Table Attack?
A Rainbow Table attack is designed to recover passwords from their cryptographic hashes. They are basically huge sets of precomputed tables filled with hash values that are pre-matched to possible plaintext passwords. The proper application of a Rainbow Table can allow a hacker to break passwords with relatively high complexity.
Well known instances of Rainbow Attacks:
How does Secret Double Octopus prevent Dictionary Attacks?
Rainbow attacks can only be successful against an account that uses passwords as the primary factor. Once passwords are gone, the most sophisticated Rainbow Table is useless.
Social Engineering
What is Social Engineering?
Social engineer covers a very broad range of attacks by which cybercriminals manipulate individuals into divulging login credentials. Social media platforms often provide the perfect venue for hackers to reach out to potential victims under a guise and extract information.
Some social engineering methods don’t even require attackers to engage directly with victims. Criminals can go directly to a user’s service provider such as a cell phone or internet company and deceive a representative into delivering new passwords to the phone or device of their choice.
Well Known instances of Social Engineering attacks:
Hack of Black Lives Matter activist DeRay Mckesson
How does Secret Double Octopus prevent Social Engineering Attacks?
Regardless of what method hackers deploy, the goal of any social engineering attack is to extract login credentials to a victim’s account. By eliminating credentials from the authentication equation, there is no longer a target for a social engineering campaign.
Keylogger Malware
What is Keylogger Malware?
A Keylogger Attack involves the illicit use of a keystroke logging program to record and capture passwords. Hackers can infect a machine with a keylogger by planting them on legitimate websites or in phishing messages. The seemingly innocuous content of the web page or message contains commands to download a keylogger file that a user can activate with a simple click.
Well Known Instance of Keylogger Attacks:
2019 Chinese Intelligence Campaign Against U.S. Tech
How does Secret Double Octopus prevent Keylogger Attacks?
Even after successfully getting a user to download a keylogger, hackers still need the victim to type in his or her passwords so they can be recorded. If passwords are not being entered, nothing captured by the keylogger will grant an attacker access to accounts.
Shoulder Surfing
What is Shoulder Surfing
More aptly categorized as a form of tradecraft then a cyberattack, Shoulder Surfing is simply the stealing of a user’s credentials by literally peering over their shoulders while he or she is typing them in. While this may seem like an overly-simple method, research has shown Shoulder Surfing to have a pretty substantial success track.
Well Known Instances of Shoulder Surfing:
2016 California Shoulder Surfing Spree
How does Secret Double Octopus prevent Shoulder Surfing Attacks?
Any ‘Shoulder Surfer’ is looking to identify user’s passwords as they type them into a device. When users are no longer entering passwords, there is no longer any information being exposed that would potentially give a peeping hacker illicit access.
Corporate Account Takeover (CATO)
What is Corporate Account Takeover (CATO)
Corporate account takeover occurs when an attacker manages to gain unauthorized access to a legitimate business account. Control of the account is then used for nefarious activities such as to initiate a fraudulent payment, or wire transfer or steal sensitive data.
Well known instances of Corporate Account Takeover (CATO)
Leaving the Password Threat Behind
The above list of techniques for breaking password-based authentication schemes is just a small sampling of the dangers posed by passwords– an outdated method of authentication which is still the method of choice for most applications.
Secret Double Octopus is helping customers evolve to the next stage of digital authentication–passwordless authentication. Its Octopus Authenticator neutralizes all of the attacks that target users’ passwords by simply getting rid of them.