The Top 7 Password Attack Methods (And How to Prevent Them)

The Top 7 Password Attack Methods (And How to Prevent Them)

What constitutes the top 7 password attack methods hackers use against enterprises? How can your business prevent them from damaging your processes and bottom line? Can password attack methods truly prove the lynchpin of hackers’ arsenals? 

According to privileged access management provider Centrify, 74% of enterprise breaches involved access to a privileged account. However, even normal users’ credentials in the wrong hands can prove a devastating weapon. Hackers could disrupt your business processes, intercept vital information, access proprietary data, and more. 

Distressingly, hackers possess several password attack methods to circumvent your enterprise single-factor authentication. To better improve your identity and access management, you need to understand these methods. Not to worry: we provide our list of the Top 7 Methods and our suggestions on how to defeat them

Keep in mind: hackers often embrace hybrid methods and unique variations on all of these password attack methods. Don’t let yourself get overwhelmed; focus on staying informed on the most common methods. 

The Top 7 Password Attack Methods

1. Brute Force Attack

One of the most common forms of password attack methods, and the easiest for hackers to perform. In fact, inexperienced hackers favor this method precisely because of this.  

In a brute force attack, a hacker uses a computer program to login to a user’s account with all possible password combinations. Moreover, brute force accounts don’t start at random; instead, they start with the easiest-to-guess passwords. 

Don’t forget, if a hacker ever gains access to your employee list, guessing your usernames tends to present no challenge.  

2. Dictionary Attack

Conversely, a dictionary attack allows hackers to employ a program which cycles through common words. A brute force attack goes letter by letter, whereas a dictionary attack only tries possibilities most likely to succeed.  

Also, dictionary attacks rely on a few key factors of users’ psychology.  For example, users tend to pick short passwords and base their passwords off common words. So a dictionary attack starts with those words and variations (adding numbers at the end, replacing letters with numbers, etc.).

3. Phishing

Ah, the old classic. After all, hackers rarely need to call upon any other password attack methods. Why would they if they can just ask the user to hand over their credentials? 

Usually, hackers disguise their phishing attacks as unsuspecting emails posing as legitimate and known services.  From these emails, hackers take users to fake login pages disguised as the legitimate service. Often, the hackers add a subtle, threatening dimension to their emails like the prospect of service cancellation. This forces the users to hand over their credentials before giving it careful consideration. 

Also, a variation of phishing attack is the social engineering attack. These identity attacks use the social conventions of the workplace to fool users. Hackers could pose as the IT team and directly ask users for their passwords without risking detection. 

Social engineering allows hackers to learn information about users, such as their mother’s maiden name (a common security question), by just looking at their social media. After all, so many passwords involve birthdays or pets names—information users give away without a second thought! 

Finally, phishing facilitates password guessing, but of course, hackers can always just guess with the information they find online. Distressingly, they often turn out to be right in the end.   

4. Rainbow Table Attack

Okay, so of the possible password attack methods, this one takes a little technical understanding. Bear with us. 

Wisely, enterprises often hash their users’ passwords; hashing entails mathematically converting caches of passwords into cryptographic, random-looking strings of characters to prevent them from being misused. If hackers can’t read the passwords, they can’t abuse them.

Hashing sounds like a strong identity security method. That isn’t inaccurate. In fact, hashing your passwords can mean the difference between a reputation-destroying data breach and a worrying but fixable problem. However, as we can see, it may not always work. 

For example, a rainbow table compiles a list of pre-computed hashes. It already has the mathematical answers for all possible password combinations for common hash algorithms. Like many identity management threats, this one uses time to its advantage.   

5. Credential Stuffing

Almost all of the password attack methods covered here assume the hackers don’t already possess your users’ passwords. However, this may not prove true. One of the underreported but most devastating effects of data breaches is its cascading effect on other enterprises. Put simply, data breaches lead to more data breaches long-term. 

Credential stuffing demonstrates this worrying principle in action. In a credential stuffing attack, hackers use lists of stolen usernames and passwords in combination on various accounts, automatically trying over and over until they hit a match. 

Credential stuffing relies on users’ tendency to reuse their passwords for multiple accounts, often to great success. Further, hackers share stolen passwords on the Dark Web or sell them, so this information proliferates among threat actors.   

Technically, credential stuffing falls under the umbrella of brute force password attack methods. Yet it proves incredibly effective because it uses known passwords.     

6. Password Spraying

Here is another member of the brute force password attack methods family. Password spraying tries thousands if not millions of accounts at once with a few commonly used passwords. If even one user has a weak password, your whole business may end up at risk.  

Most brute force methods focus on a singular account. By contrast, password spraying expands the potential targets exponentially. Thus, it helps hackers avoid account lockout policies which would trigger on repeat login failures. At the very least, it mitigates their effectiveness. 

Surprisingly, these password attack methods tend to move slowly. Hackers prefer to attack methodically from account to account, trying different passwords. This allows the timers on account lockout detection tools to revert before moving back with a different password. 

Password spraying can be particularly dangerous for single sign-on or cloud-based authentication portals. 

7. Keylogger Attack

Finally, keylogger attacks install a program on users’ endpoints to track all of a users’ keystrokes. 

So as the user types in their usernames and passwords, the hackers record them for use later. This technically falls under the category of malware or a digital virus, so it must first infect the users’ endpoints (often through a phishing download). 

Even the strongest passwords can’t actually protect you against this password-based cyber attacks. So what can your enterprise do? 

How to Prevent Password Attack Methods

First, your enterprise needs to face facts: passwords remain incredibly vulnerable to password attack methods. In fact, any form of single-factor authentication leaves your entire IT environment open to hackers who can easily subvert it. 

Instead of relying on passwords, your enterprise should call upon a next-generation privileged access management solution to deploy multifactor authentication (MFA). Multifactor authentication puts different layers of identity security on each account. It monitors diverse factors such as time of access request and geolocation. Also, it can incorporate biometric authentication and hard tokens. 

Here’s what matters: multifactor authentication mitigates the effectiveness of password attack methods. It may not completely prevent all hackers, but it deters them in mass droves. 

To learn more, you should check out our 2019 Identity Management Buyer’s Guide.

Ben Canner

Ben Canner is an enterprise technology writer and analyst covering Identity Management, SIEM, Endpoint Protection, and Cybersecurity writ large. He holds a Bachelor of Arts Degree in English from Clark University in Worcester, MA. He previously worked as a corporate blogger and ghost writer. You can reach him via Twitter and LinkedIn.
Ben Canner