As the cybersecurity risks facing your business grow more ubiquitous and hackers become ever more creative in their attack vectors, having robust digital security has never been more important, especially when it comes to passwords. With 555 million passwords stolen since 2017, password hacks are a growing concern for organizations.
There are several common ways passwords are hacked and used to access private data. Spoiler: they mostly rely on human error as opposed to inherent vulnerabilities in network software or hardware! In addition, there are simple ways that you can protect your user’s information and prevent data breaches.
Social Engineering: How Hackers Exploit Human Interaction
Social engineering attacks typically exploit individuals through human interaction, often relying on actors to play on victims’ emotions, such as empathy and fear. They tend to use frightening, urgent-sounding language and create a feeling of time sensitivity to force individuals into acting quickly. Alternatively, they can appeal to the victim’s self-interests, falsely claiming they have won a prize or are eligible for a tax rebate.
There are many forms of social engineering; phishing is one of the most common. Phishing is where a hacker, posing as someone else, reaches out to an individual to gain access to their data. Potential tactics involve tricking individuals into clicking on a link or loading a fake login or password reset page where the victim is asked to enter their personal details.
Brute Force Attacks: How Hackers Crack Simple Passwords
In 22 seconds, a computer can work through 2.18 trillion username and password combinations, meaning that common or simple passwords are highly vulnerable to brute force attacks.
In brute force attacks, hackers run a computer program that attempts to login to a website by trying as many different passwords as quickly as possible. Typically, hackers begin by using passwords which are statistically more common.
One kind of brute force attack is known as a dictionary attack. These attacks generally exploit the way people often choose common or simple words as passwords. Hackers have even developed resources called ‘cracking dictionaries’ which are distributed and then used to specifically target weak passwords.
Man-in-the-Middle Attack: How Hackers Intercept Sensitive Data
Man-in-the middle attacks occur when hackers intercept sensitive data that is being passed across insecure channels, exploiting vulnerabilities within systems to eavesdrop on communicating individuals. This type of attack is particularly difficult to detect and can potentially go unnoticed for long periods of time, especially if an organization is not actively looking for it.
Credential Stuffing: How Hackers Use Leaked Passwords
Credential stuffing is a form of attack where bad actors find passwords which have been compromised in data leaks and use them to attempt to login to other websites.
Sadly, this is a tried and tested approach. For example, hackers breached PayPal, recently, compromising the security of more than 35,000 accounts.
This method of attack works because many individuals reuse login credentials or fail to change their passwords after a security breach. As these attacks can operate on such a large scale, they only need to work a small percentage of times to be deemed successful.
Prevention: How Can Businesses Help to Prevent Password Attacks?
- Multi-factor authentication (MFA) can safeguard accounts and sensitive information.This can be achieved by using a physical token (like an Arculus card or Yubikey) or a soft token (like a mobile phone) in addition to passwords.
- Use biometric data to authenticate users. This can offer greater protection from password attacks as hackers find this information harder to replicate.
- IT teams should implement password policies, screen user passwords against password cracking dictionaries and only allow users to choose strong, unique passwords.
- Your business should ensure that access points are encrypted to prevent man-in-the-middle attacks. VPNs can also be useful in preventing attacks as they encrypt data, which ensures the hacker cannot decipher the information being transmitted.