Password Security » Cyberattacks based on passwords

Cyberattacks based on passwords

Passwords have become an indispensable part of IT security architecture due to their simplicity and familiarity. While many other authentication methods have popped up along the line, most applications, sites, and organizations use passwords as the primary factor in identity verification. Thus, it is not surprising that threat actors have created a range of cyberattacks that target passwords and have fine-tuned the efficiency of their attacks to an alarming level.

Here are the six most common password-based cyberattacks:

1. Phishing

Phishing is a type of cyberattack where an attacker attempts to gain users' sensitive data through a seemingly harmless email, website, or text message. In a phishing attack, a fake login page is sent to the victim, usually over an email that resembles a legitimate one. Once the user inputs their credentials, the threat actor retrieves this data and uses it to hack into the user's account. This is widely used to steal credit card information. One of the most common indicators of a phishing attack is the fear-inducing tone of its message. Some examples of these messages include "your password is about to expire" and "you will be locked out of your account if you do not comply."

2. Spear phishing

Spear phishing is a more targeted version of a phishing attack. The attacker aims to get access to the login credentials of one particular individual to illegally obtain sensitive data. This requires detailed knowledge of the organization's hierarchy, norms, and procedures. Spear phishing is rarely an isolated event; it is usually the first phase of an advanced persistent threat.

3. Brute-force attacks

A brute-force attack is a simple, old-fashioned password attack that still proves to be successful because of users' negligence in setting strong passwords. In a brute-force attack, the hacker attempts to guess the user's password through different combinations. If the user has set a commonly used password, it is likely to be decoded in a matter of milliseconds. Here is a list of common passwords and how long it takes to crack them:

Rank Password Time taken to crack
1 123456 <1 second
2 password <1 second
3 12345 <1 second
4 123456789 <1 second
5 password1 <1 second
6 abc123 <1 second
7 12345678 <1 second
8 qwerty <1 second
9 111111 <1 second
10 1234567 <1 second

Source: NordPass' most common passwords list

4. Password spraying

Password spraying is a type of brute-force attack in which the hacker tries out a chosen password for all available accounts on a particular platform, then moves on to the next password. This way, they may gain access to many user accounts within an organization. The success of this attack is determined by the strength of the users' passwords.

5. Dictionary attacks

A dictionary attack is another type of brute-force attack in which the hacker tries every word in a dictionary to identify a user's password. This is fruitful as many users set common English words as their passwords. Attackers use common words with character substitutions (e.g., 1 for L and 3 for E) as well as password dictionaries that contain breached passwords.

6. Credential stuffing

Credential stuffing is similar to a brute-force attack except for the fact that a pool of already compromised passwords is used to hack into users' accounts. This works because many people use the same password across multiple platforms.

Combat password-based cyberattacks with ADSelfService Plus

ADSelfService Plus is an identity security solution with adaptive MFA and password management capabilities. With ADSelfService Plus, you can:

Enforce strong passwords

The Password Policy Enforcer in ADSelfService Plus allows you to restrict dictionary words, patterns, and repetitions. You can include your own dictionary of banned passwords in addition to the predefined one. Also, you can ban breached passwords through our Have I Been Pwned? integration. This gives you immunity to credential stuffing and brute-force attacks.

Deploy MFA

Choose from over 19 authentication factors, such as biometrics and Google Authenticator, to fortify user accounts against multiple cyberattacks, including brute-force and phishing attacks. Even if a user's password is compromised, the hacker cannot break into the account without the other authentication factors.

Implement CAPTCHA

Render bot capabilities useless for various types of brute-force and credential stuffing attacks with customizable CAPTCHA.

Restrict IPs

Most threat actors repeatedly use IP addresses from a limited pool to facilitate cyberattacks. Create an IP blocklist with ADSelfService Plus' conditional access feature to block IP addresses involved in data breaches.

Simplify compliance

Efficiently manage passwords and get comprehensive reports about last logins, expired passwords, locked out accounts, identity verification failures, and more to ensure compliance with regulations like SOX, HIPAA, and the PCI DSS.

Self-service password management and single sign-on solution

ManageEngine ADSelfService Plus is an integrated self-service password management and single sign-on solution for Active Directory and cloud apps. Ensure endpoint security with stringent authentication controls including biometrics and advanced password policy controls.