What Passwordless Authentication Prevents?

Shimrit Tzur-David | May 1, 2019

If we could sum up our message at Secret Double Octopus, it would be that password authentication is outdated and dangerous.

While the general risks of weak authentication are well known, often users don’t quite understand the full implications of this threat.

We, therefore, decided to use this post to provide a more comprehensive overview of all the vulnerabilities of passwords–and how our passwordless authentication solutions prevent them.

Password spraying

What is Password spraying?

Password spraying is an attack that attempts to access a large number of accounts (usernames) with a few commonly used passwords. Learn More

Well known instances of Password Spraying attacks:

The Citrix Breach
Dubai School Network

How Do we prevent Password Spraying?

Password spraying relies on the use of common and generic passwords–unfortunately a practice that remains widespread till today. By removing the use of passwords, Secret Double Octopus renders an account immune to this hack.

Credentials stuffing

What is Credential stuffing?

Credential stuffing is a type of cyberattack where stolen account credentials, typically consisting of lists of usernames and/or email addresses and their corresponding passwords are used to gain unauthorized access to user accounts. Using a program called an ‘account checker’, hackers activate large-scale automated login requests directed against a slew of web applications. Learn more here and here. Learn more Learn More 2

Well known instances of Credential Stuffing attacks:

HSBC Breach
Collection 1
Spotify

How do we prevent Credential Stuffing?

Password spraying typically relies on user-generated passwords that were obtained from large breaches. Secret Double Octopus removes user-generated passwords, and in turn, the risk of credential stuffing.

Spear Phishing

What is Spear Phishing?

Phishing hacks are a form of cyberattacks designed with the aim of getting a user to divulge compromising information. As its name would imply, Spear Phishing is a targeted attack against a particular user or set of users, based on their unique profile. Spear phishing messages are tailored to the targets in an effort to convince them the communications are legit. This is usually done by acquiring personal details on the victim such as their friends, hometown, employer, locations they frequently visit, or what they have recently bought online. The attackers then disguise themselves as a trustworthy friend or entity and attempt to extract sensitive information, typically through email or other online messaging.

To date, Spear phishing is the most successful form of acquiring credentials and other sensitive data via the internet, accounting for 91% of all attacks. Learn More

Well known instances of Spear Phishing attacks:

Anthem

Ubiquiti Networks

Crelan

Soula

How does Secret Double Octopus prevent Spear Phishing?

Spear phishing attacks rely on fraudulent communications, usually in the form of emails following a Business email compromise (BEC) incident. When using Secret Double Octopus, users are never prompted to reset or update passwords, meaning users will know that any such request is an attempt by a cybercriminal. Secret Double Octopus both removes the credentials target and negates the mechanism by which Spear Phishing works.

Brute Force Attack and Offline Cracking

What is a Brute Force Attack?

Brute force attacks involve repeated login attempts using every possible letter, number, and character combination to guess a password.

An attacker using brute force is typically trying to guess a user, or an administrator password or a password hash key.. Guessing a short password can be relatively simple, but that isn’t necessarily the case for longer passwords or encryption keys—the difficulty of brute force attacks grows exponentially the longer the password or key is.

What are some examples of Brute Force attacks?

Georgia Tech

IBM Research

What is Offline Cracking?

Offline Password Cracking is an attempt to extract one or more passwords from a password storage file that has been recovered from a target system.  Typically, this form of cracking will require that an attacker has already attained a high level of access to a system, in order to gain access to the necessary file. Once the hackers gain access to the stored passwords, they are able to move freely through a wide range of network accounts.

Well known instances of Offline Cracking

LastPass Breach

How does Secret Double Octopus prevent Brute Force Attacks and Offline Cracking?  

Both of these attacks rely on breaching access to credentials. Hackers target systems that rely on passwords as a first factor. There are many cases in which hackers capitalize on weak communication protocols connecting networks to servers and use these methods to bypass MFA. Secret Double Octopus does not use passwords as a first factor of authentication, thereby preventing brute force attacks.

Rainbow table attacks

What is a Rainbow Table Attack?

A Rainbow Table attack is designed to recover passwords from their cryptographic hashes. They are basically huge sets of precomputed tables filled with hash values that are pre-matched to possible plaintext passwords. The proper application of a Rainbow Table can allow a hacker to break passwords with relatively high complexity.

Well known instances of Rainbow Attacks:

WikiLeaks breaches

How does Secret Double Octopus prevent Dictionary Attacks?

Rainbow attacks can only be successful against an account that uses passwords as the primary factor. Once passwords are gone, the most sophisticated Rainbow Table is useless.

Social Engineering

What is Social Engineering?

Social engineer covers a very broad range of attacks by which cybercriminals manipulate individuals into divulging login credentials. Social media platforms often provide the perfect venue for hackers to reach out to potential victims under a guise and extract information.

Some social engineering methods don’t even require attackers to engage directly with victims. Criminals can go directly to a user’s service provider such as a cell phone or internet company and deceive a representative into delivering new passwords to the phone or device of their choice.

Well Known instances of Social Engineering attacks:

Hack of Black Lives Matter activist DeRay Mckesson

How does Secret Double Octopus prevent Social Engineering Attacks?

Regardless of what method hackers deploy, the goal of any social engineering attack is to extract login credentials to a victim’s account. By eliminating credentials from the authentication equation, there is no longer a target for a social engineering campaign.

Keylogger Malware

What is Keylogger Malware?

A Keylogger Attack involves the illicit use of a keystroke logging program to record and capture passwords. Hackers can infect a machine with a keylogger by planting them on legitimate websites or in phishing messages. The seemingly innocuous content of the web page or message contains commands to download a keylogger file that a user can activate with a simple click.

Well Known Instance of Keylogger Attacks:   

VSDC Hack

2019 Chinese Intelligence Campaign Against U.S. Tech

How does Secret Double Octopus prevent Keylogger Attacks?

Even after successfully getting a user to download a keylogger, hackers still need the victim to type in his or her passwords so they can be recorded. If passwords are not being entered, nothing captured by the keylogger will grant an attacker access to accounts.

Shoulder Surfing

What is Shoulder Surfing

More aptly categorized as a form of tradecraft then a cyberattack, Shoulder Surfing is simply the stealing of a user’s credentials by literally peering over their shoulders while he or she is typing them in. While this may seem like an overly-simple method, research has shown Shoulder Surfing to have a pretty substantial success track.

Well Known Instances of Shoulder Surfing:

2016 California Shoulder Surfing Spree

How does Secret Double Octopus prevent Shoulder Surfing Attacks?

Any ‘Shoulder Surfer’ is looking to identify user’s passwords as they type them into a device. When users are no longer entering passwords, there is no longer any information being exposed that would potentially give a peeping hacker illicit access.

Corporate Account Takeover (CATO)

What is Corporate Account Takeover (CATO)

Corporate account takeover occurs when an attacker manages to gain unauthorized access to a legitimate business account. Control of the account is then used for nefarious activities such as to initiate a fraudulent payment, or wire transfer or steal sensitive data.

Learn More

Well known instances of Corporate Account Takeover (CATO)

BancorpSouth Breach

Ocean Bank Breach

Leaving the Password Threat Behind

The above list of techniques for breaking password-based authentication schemes is just a small sampling of the dangers posed by passwords– an outdated method of authentication which is still the method of choice for most applications.

Secret Double Octopus is helping customers evolve to the next stage of digital authentication–passwordless authentication. Its Octopus Authenticator neutralizes all of the attacks that target users’ passwords by simply getting rid of them.