Pricing  Get Quote
 
 
Blog

Cyberattacks based on passwords

Written by Andrew PrasannaMFA4 min read

On this page
  • 8 common password-based cyberattacks
  • Combat password-based cyberattacks with ADSelfService Plus
  • People also ask

Passwords have become an indispensable part of IT security architecture due to their simplicity and familiarity. While many other authentication methods exist, most applications, sites, and organizations use passwords as the primary factor in identity verification. Thus, it is not surprising that hackers use different types of online and offline cyberattacks that target passwords and have fine-tuned the efficiency of their attacks to an alarming level.

8 common password-based cyberattacks

1. Phishing

Phishing is a type of cyberattack where an attacker attempts to gain users' sensitive data through a seemingly harmless email, website, or text message. In a phishing attack, a fake login page is sent to the victim, usually over an email that resembles a legitimate one. Once the user inputs their credentials, the threat actor retrieves this data and uses it to hack into the user's account.

This attack is widely used to steal credit card information. One of the most common indicators of a phishing attack is the fear-inducing tone of its message. Some examples of these messages include "your password is about to expire" and "you will be locked out of your account if you do not comply." A more targeted version is spear phishing, where attackers spend time researching a specific individual beforehand. Among all other cybercrimes, phishing stands out as the most common with 3.4 billion spam emails sent every day. On average, 1.4 million phishing sites are also created every month.

2. Brute-force attacks

A brute-force attack is a simple, old-fashioned password attack that still proves to be successful because so many users fail to set strong passwords. In a brute-force attack, the hacker attempts to guess the user's password through repeatedly trying out different combinations until one successfully grants access. If the user has set a commonly used password, it is likely to be decoded in a matter of milliseconds.

Here is a list of common passwords and how long it takes to crack them:

Rank Password Time taken to crack
1 123456 <1 second
2 password <1 second
3 12345 <1 second
4 123456789 <1 second
5 password1 <1 second
6 abc123 <1 second
7 12345678 <1 second
8 qwerty <1 second
9 111111 <1 second
10 1234567 <1 second

Source: NordPass' most common passwords list

A brute-force attack on Dunkin' Donuts that targeted customer accounts led to attackers gaining access to over 19,000 users accounts and stealing thousands of dollars. This further resulted in $650,000 in fines and damages to settle a lawsuit.

3. Password spraying

Password spraying is a type of brute-force attack in which the hacker first tries out a chosen password for all available accounts on a particular platform, then moves on to the next password. This way, they may gain access to many user accounts within an organization. The success of this attack is determined by the strength of the users' passwords. In January 2024, Microsoft admitted a password spray attack was used to compromise a test tenant account. The threat actor, identified as Midnight Blizzard, used the account's permissions to access a small percentage of corporate email accounts.

4. Dictionary attacks

A dictionary attack is another type of brute-force attack in which the hacker tries every word in a dictionary to identify a user's password. This is fruitful as many users set common English words as their passwords. Attackers use common words with character substitutions (e.g., 1 for L and 3 for E) as well as password dictionaries that contain breached passwords. The SolarWinds data breach, executed by Russian hackers, who were able to log in to an update server by guessing the administrator's password, solarwinds123. Once they gained access, a backdoor was planted and activated when customers updated their software.

5. Credential stuffing

Credential stuffing is similar to a brute-force attack except for the fact that a pool of already compromised passwords are used to hack into users' accounts. This works because many people use the same password across multiple platforms. In 2022, PayPal suffered a credential stuffing attack that impacted over 34,000 of its users. This let hackers gain access to account holders' names, dates of birth, and Social Security numbers. PayPal took timely action to limit the access and reset the accounts' passwords.

6. Rainbow table attack

A rainbow table attack is a method that targets password hashes. Instead of brute-forcing every possible password combination, attackers use precomputed tables containing millions of plain text passwords and their corresponding hashed values. By comparing the stolen hash with values in the table, they can quickly determine the original password, bypassing the usual security of hashed storage. In the 2012 LinkedIn hack, Russian cybercriminals gained access to a database containing over 6.5 million hashed passwords. By utilizing rainbow tables, they were able to crack the passwords and leak them online, which eventually went for sale on a hacker site in 2016.

7. Manipulator-in-the-middle attack

A manipulator-in-the-middle (MITM) attack is when an attacker positions themselves between two communicating parties, masquerading as each to intercept their messages. This gives the attacker access to read, modify, or even steal the information being exchanged without either party being aware of it. This is often done to gain access to sensitive data like passwords or credit card numbers. KLAYswap, a cryptocurrency exchange platform, was attacked by a BGP hijack during which the network flow was compromised. Manipulators configured it to send a malicious code to users when they tried downloading an SDK. This led to the company losing around 1.9 million dollars.

8. Keylogger attack

A keylogger attack involves malicious software or hardware devices that secretly record every keystroke a user makes on their device. This captured data, such as passwords and credit card numbers, is then transmitted to the attacker's remote server. Keyloggers are often installed through phishing emails, malware, or physical access to the device. They pose a significant threat as they silently steal sensitive information, enabling identity theft, financial fraud, and other cybercrimes. A malware with keylogging functionality known as Agent Tesla has been targeting Windows systems since 2014. Often distributed through phishing emails, it was used in numerous attacks globally. An example was the COVID-19 phishing campaign during which emails disguised as vaccination schedules had the malware hidden as an attachment.

Combat password-based cyberattacks with ADSelfService Plus

ADSelfService Plus is an identity security solution with adaptive MFA and password management capabilities. With ADSelfService Plus, you can:

  • Enforce strong passwords The Password Policy Enforcer in ADSelfService Plus allows you to restrict dictionary words, patterns, and repetitions. You can include your own dictionary of banned passwords in addition to the predefined one. Also, you can ban breached passwords through ADSelfService Plus' integration with Have I Been Pwned. This gives you immunity to credential stuffing and brute-force attacks.
  • Deploy MFA Choose from 20 different authentication factors, such as biometrics and FIDO passkeys, to fortify user accounts against multiple cyberattacks, including brute-force and phishing attacks. Even if a user's password is compromised, the hacker cannot break into the account without the other authentication factors.
  • Implement CAPTCHA Render bot capabilities useless for various types of brute-force and credential stuffing attacks with customizable CAPTCHAs.
  • Restrict IPs Most threat actors repeatedly use IP addresses from a limited pool to facilitate cyberattacks. Create an IP blocklist with ADSelfService Plus' conditional access feature to block IP addresses involved in data breaches.
  • Simplify compliance Efficiently manage passwords and get comprehensive reports about last logins, expired passwords, locked out accounts, identity verification failures, and more to ensure compliance with regulations like SOX, HIPAA, and the PCI DSS.
Defend against cyberattacks withADSelfService Plus' adaptive MFA

People also ask

What is a password-based attack?

A password-based attack is a cyberattack where the attacker tries to guess or steal a victim's password to gain unauthorized access into their accounts or systems. This is done through various methods like brute-forcing, phishing, dictionary attacks, or keylogging.

What are the most common types of password attacks?

The most common types of password attacks are phishing, spear phishing, password spraying, credential stuffing, brute-force, rainbow table, dictionary, and manipulator-in-the-middle.

What is a password-cracking rule-based attack?

A rule-based attack involves attackers applying predefined rules to a dictionary of words to generate a vast number of variations. These rules can involve adding numbers and symbols, capitalizing letters, or altering word order. By automating this process, attackers take advantage of predictable patterns and increase the chances of cracking passwords.

 

ADSelfService Plus trusted by

Embark on a journey towards identity security and Zero Trust
Email Download Link