3 Types of Password Security Attacks and How to Avoid Them
We’ve all heard the warnings about password security. Never share your password. Never use the vendor default password (like Netgear1). Never use an easy-to-guess password (like Password123 or Mike1982). No matter what industry you work in, chances are, you’re hearing more about these password “rules” at your job. Recent high-profile security breach scandals, like the Target credit card information breach and the Adobe hack, have more business owners and companies taking steps to ensure that their network, and the sensitive information stored on it, is safe and secure.
But while most people do their best to adhere to their employers’ password security guidelines, many are still unsure of why these password protocols are even effective. I recently worked with a large online retailer to help them get up to speed on security protocols. One of the questions asked in our initial meeting helped to give me some perspective on how password security is still viewed by many people.
“I work in billing. I get that I shouldn’t leave my passwords just lying around my desk, because a co-worker could use my login. But I don’t understand how using a longer, more complicated password (with a capital letter, numbers, etc.) would make any difference. No one could guess my password. It seems like a waste of time.”
I dried a tear and explained that hackers are always trying to get their hands on sensitive financial information; it’s what they do. Understanding how they do it is key to understanding why complicated passwords and more advanced security techniques like multi-factor authentication are so important.
So, how do hackers go about stealing passwords in order to infiltrate a network and gain access to sensitive information like a client database, credit card information, and more? Today, there are three common methods used to break into a password-protected system:
1. Brute Force Attack
A hacker uses a computer program or script to try to log in with possible password combinations, usually starting with the easiest-to-guess passwords. (So just think: if a hacker has a company list, he or she can easily guess usernames. If even one of the users has a “Password123”, he will quickly be able to get in.)
2. Dictionary Attack
A hacker uses a program or script to try to login by cycling through combinations of common words. From http://en.wikipedia.org/wiki/Dictionary_attack Wikipedia:
“In contrast with a brute force attack, where a large proportion key space is searched systematically, a dictionary attack tries only those possibilities which are most likely to succeed, typically derived from a list of words for example a dictionary (hence the phrase dictionary attack). Generally, dictionary attacks succeed because many people have a tendency to choose passwords which are short (7 characters or fewer), such as single words found in dictionaries or simple, easily predicted variations on words, such as appending a digit.”
3. Key Logger Attack
A hacker uses a program to track all of a user’s keystrokes. So at the end of the day, everything the user has typed—including their login IDs and passwords—have been recorded. A key logger attack is different than a brute force or dictionary attack in many ways. Not the least of which, the key logging program used is malware (or a full-blown virus) that must first make it onto the user’s device (often the user is tricked into downloading it by clicking on a link in an email). Key logger attacks are also different because stronger passwords don’t provide much protection against them, which is one reason that multi-factor authentication (MFA) is becoming a must-have for all businesses and organizations.
With two-factor authentication (also called multi-factor authentication, 2FA, and advanced authentication), a user is required to not only provide a password to gain access to the system, but also a another security “factor,” like a unique one-time access code generated from a token device or secure mobile app on their smartphone. A network protected by MFA is nearly impenetrable to an outside attack; even if a hacker is able to attain a system password, he won’t be able to provide the needed second security factor.
The use of MFA is growing rapidly. Facebook, Google, PayPal now all offer MFA options. The security guidelines for many agencies and industries (including HIPAA, PCI, and the FBI) require MFA for anyone trying to log in off site.
If you’re looking for an MFA solution for your organization, find out the answers to your questions in “12 Questions You Need To Ask Your Multi-Factor Authentication Vendor.”