Passwords are highly vulnerable and extremely valuable, and therefore a high-value target for attackers.
There numerous attacks on passwords. Here’s an overview of the main tactics:
- Social Engineering
Social Engineering attacks misdirect users to malicious websites that impersonate legitimate ones and ask them for their passwords (and possibly other credentials like one-time passcode, etc.). Once users enter their passwords on a malicious site, the attacker has the passwords and can use them to perform malicious/fraudulent logins. This attack is probably the easiest for attackers to carry out and therefore the most prevalent form of attack. There is a wide variety of social engineering techniques, including phishing, vishing (voice phishing), spear phishing, and pharming, and more elaborate manipulations that involve a combination of techniques.
- Brute Force
Brute Force attacks are designed to break password authentication by either finding out the secret password or by finding an application that will accept a stolen password. To find out a password, attackers can systematically try all possible combinations – AKA password cracking- or they might employ smarter techniques like dictionary attacks and other clever guessing schemes.
To find an application that will accept a stolen password, attackers use techniques like password spraying and credential stuffing. Password spraying is when attackers use a shortlist of commonly used passwords (e.g. ‘12345678’) to try to access many different accounts. The goal is to find a match that will let the attacker into an account. Trying only a handful of password combinations on any given account helps the attacker avoid lockouts that would normally occur when brute forcing a single account with many passwords.
Credential stuffing is when attackers exploit users’ tendencies to reuse the same password on multiple accounts. They, therefore, try to use a stolen password from one account (e.g. a stolen Facebook account password) to try to access another account (e.g. an employee’s Office365 account).
- Extracting Passwords from Credential Stores
Applications and operating systems routinely cache passwords and other authentication credentials to improve user experience by reducing the number of times users have to enter their passwords. Attackers can steal these passwords by compromising credential stores that store passwords (typically used by operating systems and browsers), credentials files (e.g. belonging to password management apps), passwords stored in the computer’s registry, etc.
- Input Capture
Input capture is when attackers intercept the password entry process using things like keyloggers installed on users’ computers, or hooking into the operating system’s API that handles password entry – AKA Credential API Hooking. Attackers may also manipulate the operating system’s graphical user interface to render malicious password entry requests – AKA GUI Input Capture. Hooking into the password entry process or rendering fraudulent password requests can also be performed by compromising a web application and hooking into its password entry API or forcing it to render fraudulent password entry requests.
- Network Sniffing
Network sniffing is when an attacker observes network traffic and is able to extract from it sensitive information such as passwords. This is similar to wiretapping telephone communications only applied to data networks.
Man-in-the-middle attacks allow attackers to position themselves in the communications channel between users and the applications they are connecting with. Once in position, the attacker can intercept network traffic and extract from it passwords and other confidential information being exchanged between the user and the application.
Unlike network sniffing that allows the attacker to passively observe network traffic, in a man-in-the-middle attack, the attacker can actively tamper with communications between the user and the application.
The most effective remedy for all of these attacks on passwords is to simply not have a password. And while most things in life are a tradeoff, in the case of passwordless authentication there is no tradeoff. There are no pros and cons – it is simply a superior alternative to passwords. It offers better security, better user experience, and is cheaper to own and operate.
- Better security
Passwordless authentication is actually the safer, more conservative solution security-wise when compared with traditional passwords. It is phishing resistant and offers better protection against other forms of credential access attacks, including man-in-the-middle, keylogging, credential stuffing, password spraying, and more.
- Better user experience
A passwordless authenticator removes the need to recall and key-in passwords, which translates into quicker logons and less failed attempts. And because there are no passwords to forget or reset, there is less downtime due to lost or forgotten passwords.
- Cheaper to own and operate
Passwords create a significant load on helpdesks. Users forgetting their passwords or losing their authenticator quickly make their way to the helpdesk for assistance in recovery. Alternatively, self-service password reset systems need to be acquired, deployed and operated to help users perform these recovery operations on their own.
- User awareness
Another significant cost associated with password-based authentication is the need to educate users and protect them from phishing. Phishing prevention solutions need to be deployed to try to catch as many phishing attempts targeting users from all channels – web, email, business chat applications (i.e. Slack, etc.), and more. Training systems to help employees avoid phishing scams also need to be acquired, deployed, and operated.