You know what they say about passwords… You’re only one weak password away from a breach. Despite the increasing sophistication of hacker technologies and tools, the easiest step of a hack is still cracking the password. In fact, it’s so easy that many times it doesn’t even involve guessing at all. The scariest part about this is that regardless of how secure your password is, all it takes is one colleague’s weak password to put your company’s entire system at risk for a breach.
These stats help explain why passwords are a top vulnerability for companies:
- 81% of the total number of breaches leveraged stolen or weak passwords – 2020 Verizon Data Breach Investigations Report
- 1 million passwords are stolen every week – 2019 Breach Alarm
- $1.3 million is the average cost of a data breach – 2017 Ponemon Institute Cost of Data Breach Study
- Password dumper is one of the most common malwares – 2020 Verizon Data Breach Investigations Report
And these are the most common password hacking methods:
Keyloggers are software programs that give hackers access to personal data by recording all the keyboard keystrokes. The passwords and credit card numbers you type, the web pages you visit – all by logging your keystrokes.
This approach comes in a number of styles, all of which are rooted in the idea of deceiving or manipulating people into divulging their information or taking a certain action. Common social engineering methods used to steal passwords include phishing and using a trojan horse attack. A less common approach is shoulder surfing, in which the hacker simply watches a user type in his or her password.
Hackers try to guess a password by typing in a common list of words from a password “dictionary.” More advanced password dictionaries include lists of the most commonly used words in passwords. This is a relatively simple method, but one that is effective in guessing less-complex passwords. If you use real words in any of your passwords, your credentials are at risk.
Brute Force Attack
While not as efficient as a dictionary attack, a brute force attack is more effective in eventually guessing a password. With this method, hackers use tools to repeatedly try every possible password combination of letters, numbers, and symbols until the password is cracked. A similar approach is a reverse brute force attack, in which a hacker tries one password against many usernames.
This method uses a resource called a rainbow table to crack password hashes (essentially scrambled up passwords stored in system databases) in a much more efficient and effective way than brute force or dictionary attacks.
Credential Stuffing Attack
Since so many people use the same passwords or variations of passwords across accounts, hackers found a way to automatically run database lists of breached username/password combinations against a target website login. According to Shape Security, 90% of login attempts at online retailers are from this type of attack and this method is effective for hackers about 3% of the time.
So, to celebrate World Password Day, may we suggest you look at smarter ways to protect user credentials? Multi-factor authentication (MFA) should be the first step into enabling authentication defense for users. It adds a security layer to logins beyond just a simple username and password and it helps ensure that hackers cannot access your systems even if one of your employee’s passwords becomes compromised.
Wondering if employee email credentials have been exposed to the dark web? Search your company domain here to find out.