Microsoft recently published its Digital Defense Report for 2022 citing a 74% increase in password attacks to more than 900 per second. By way of explanation, the study found, “over 90 percent of accounts compromised via these methods are not protected with strong authentication.”
Let’s call that our starting point for 2023, bleak as it is, and take a quick look at how innovative password attack methods have emerged. And then, at five common-sense things identity managers can do right now to prevent password attacks.
What is a password attack?
Any attack that uses stolen, purchased, or leaked/phished usernames and passwords to access systems and wreak havoc (steal data, disrupt business operations, launch a DDoS or other bot-led cyber attack, the possibilities are endless). One common type of password attack that we’ve heard about at length (or ad nauseam) is phishing in all its modern permutations: spear, whaling, SMSishing, VMishing, and man in the middle (MITM).
Phishing typically involves duping users into exposing their credentials themselves, typically upon login. But we owe the 74% rise in password attacks detected by Microsoft to several other dynamics:
- Attacks becoming big business: would-be attackers can buy passwords on the dark web fast and at commodity prices
- Techniques becoming more elaborate
Why so popular?
The perennial problem with passwords is that they’re ubiquitous, poorly managed, and easy to buy, steal, and guess. Despite skyrocketing investments and pressure to bolster cybersecurity, password attacks still really work.
Not long ago, RockYou21, the largest password compilation of all time, leaked online with 8.4 billion entries.
100 percent of all human operated ransomware attacks include stolen credentials. Many sophisticated intrusions include credentials purchased from the dark web, initially stolen from unsophisticated and broadly distributed credential theft malware. This class of malware has evolved to steal tokens, including session information and MFA claims.
The rise of man in the middle (MITM) attacks
Attackers now use MITM attacks not only to capture credentials but also to extract tokens from victims’ devices. An unsuspecting victim of a phishing attack clicks a link in a fake email and gets directed to a site resembling a legitimate IDP sign-in page. Attackers intercept the username and password and relay MFA challenges causing tokens to be issued by the IDP that might contain MFA claims needed to meet requirements.
Modern attacks raise the stakes
As defenders keep raising the bar, attackers continue to innovate and commoditize password attacks. Modern techniques include:
Password spraying attacks
In password spray attacks, the attacker attempts to access a large number of accounts (usernames) with a few commonly used passwords. Spraying attacks take a particular common password and try it against a whole list of employees or usernames. If one attempt fails, they wait for 30 minutes or so (to avoid triggering lockout) and go on to the next obvious password.
Even if most employees use hard-to-guess passwords, hackers only need one to gain access and start moving laterally or progressively up the ladder of privileged access. Attacks can target pretty much anyone anywhere in an organization (compared with spear phishing that targets higher-ups or certain functions).
Auditors cracked nearly 22% of passwords used by employees at the Interior Department. That includes 288 accounts with elevated privileges and 362 accounts used by senior government officials. The report from the Interior inspector general said the agency does not consistently use multifactor authentication.Federal News Network
Password spray campaigns typically target single sign-on (SSO) and cloud-based applications utilizing federated authentication protocols to mask malicious traffic.
Brute force password attacks
With brute force, instead of spraying passwords at a large batch of usernames, a brute force attack targets a particular entity, cycling through large volumes of possible passwords. They may conduct some due diligence on social media ahead of time to hone a set of possible password variations and increase the odds of cracking the code.
Cognitive password attacks
Here, the answers to security questions—where you were born, what was the name of your first-grade teacher, etc.— pertaining to a certain user and used to reset login credentials themselves.
Password dictionary attacks
A variation on the classic brute-force attack, hackers use a dictionary attack to try to break into password-protected devices by systematically entering every word in the dictionary, or automatically generating variations like H&CK8r$ known as “leetspeak” (replacing characters with alphanumeric or non-alphanumeric characters). Dictionary attacks succeed when users incorporate common versus highly personal names in creating passwords.
Credential stuffing assumes passwords do not get changed the way they should following successful attacks. The attacker automatically injects stolen usernames (typically emails) and password pairs in order to gain unauthorized access to user accounts. Automation tools allow large numbers of compromised credentials to be entered into an application (typically a Web application) until success is achieved. Attackers simply try previously exposed usernames and passwords to find one that hasn’t been reset.
Another important enabler for credential stuffing is the tendency of users to reuse passwords across multiple accounts. Once credentials become compromised, attackers can hop from one application to another.
For keylogging to succeed, some form of malware needs to make its way onto the system prior to credentials being compromised. The software watches and track every keystroke and feeds credentials back to bad actors.
Stepping up attacks against critical infrastructure
In a report released in January 2023, the Inspector General of the U.S. Department of the Interior (DOI) wrote:
“The objective of our inspection was to determine whether the U.S. Department of the Interior’s password management and enforcement controls were effective enough to prevent a malicious actor from gaining unauthorized access to Department computer systems by capturing and “cracking” user passwords . . . In the first 90 minutes of testing, we cracked the passwords for 16 percent of the Department’s user accounts.”
Along with government agencies already facing mandates to implement phishing-resistant MFA by 2024, other sectors of critical infrastructure (CI) present compelling targets:
In the UK, the draft Product Security and Telecommunications Infrastructure Bill will require manufacturers of consumer connectable products, such as smart TVs, to stop using default passwords that are an easy target for cybercriminals, to establish a vulnerability disclosure policy (such as a way to receive notifications of security flaws), and to provide transparency about the minimum length of time during which they will provide security updates.
Microsoft found IoT/OT devices often used in energy and utility infrastructures are particularly vulnerable to attack due in large part to weak credentials: “Based on a sample size of over 39 million IoT and OT devices, those using identical usernames and passwords represented around 20 percent.”
4 Tips to Prevent Any Password Attack
1. Do the obvious: get rid of passwords
Phase in MFA (although you might as well go passwordless). The audit-style research conducted at the DOI found:
The Department did not consistently implement multi-factor authentication, including for 89% of its High Value Assets. We found that the Department allowed single-factor authentication (username and password) on an indeterminate number of its applications, notwithstanding 18 years of mandates.
Traditional MFA generally means employing more than one (or two) factors of authentication, often biometrics, one-time passcodes (OTPs) sent via SMS, or security keys (FIDO2), or smart cards (X.509 certificates). Evolving mandates for Zero Trust MFA overwhelmingly agree that the only true phishing-resistant approach is passwordless.
2. Address MFA Fatigue
MFA Fatigue is a thing, and attackers are only too glad to turn it to their advantage with sophisticated phishing techniques like push-bombing. They figure out how to generate multiple requests for MFA to a user device and wear users down until they accept the request and throw the door open.
Users hate having to change, reset, and manage passwords, especially complicated ones, and many different ones across a slew of devices, portals, and services.
But if you can’t get rid of passwords entirely just yet (we can show you how to do it in under an hour), start with multi-factor authentication that takes “what users know” out of the equation, and apply some common-sense rules around it.
3. Require stronger passwords to begin with
Weak passwords: Twenty-seven percent of the firmware images scanned contained accounts with passwords encoded using weak algorithms (MD5/DES), which are easily broken by attackers.
Here, the DOI study found, “the Department’s password complexity requirements were outdated and ineffective, allowing users to select easy-to-crack passwords.”
One way to combat this easily is by using a password manager, which can help you generate a strong password for your applications to prevent password reuse, store them, and prevent any password cracking attempts by brute force.
Anticipate modern attacks
Ready or not, cyber insurance premiums will nudge organizations toward passwordless MFA quickly. In the meantime, avoid modern password attacks with smarter password management:
- Never use a word that can be found in the dictionary as a password (dictionary attack)
- Lock accounts after too many failed attempts (brute force)
- Check your physical hardware for malicious software and run AV scans (keylogging)
4. Rotate them often
The DOI research concluded, “The Department did not timely disable inactive (unused) accounts or enforce password age limits, which left more than 6,000 additional active accounts vulnerable to attack.”
Take old ones out of the mix
Many companies don’t keep up with disabling credentials as users leave the company. Maintain good password hygiene so old, compromised credentials, or those preceding mergers and acquisitions can’t be used against you.
To sum up
- Don’t rely on passwords alone – implement MFA immediately
- Improve password management: Don’t use the same ones over and over, don’t leave them lying around, don’t let them be easy to guess – and rotate or change them often
- Go passwordless: Take passwords out of the user login equation by adopting a passwordless MFA solution to make sure no user has to set, forget, or reset passwords to access critical resources, ever!
Taking password management—and MFA fatigue—off users’ lists of complaints and placing the guarding of the secrets where it belongs—with IT—pays big.