Understanding the Password Guessing Threat

3 Mins read

Understanding the Password Guessing Threat

The concept of a computer password is simple: It’s a set of secret characters that you can use to authenticate your identity to access or secure a digital system, based on the presumption that you are the only person who knows it. Passwords are therefore a quick and relatively painless way of proving that you are, well, you. After all, who else would know your unique password?

The obvious problem passwords pose is that they only work so long as no one else is able to use them. Compared to a more comprehensive identification process, such as a fingerprint scan or facial recognition tool, standard passwords make 100 percent of their judgment about the user based on knowledge of a relatively short string of text.

This leaves them open to abuse by attackers – which, in turn, can leave users open to account takeover of often vital systems. Since those accounts could contain anything from banking information to health data to valuable company trade secrets, the results can be disastrous.

Password-Seizing Attacks

There are multiple ways that an attacker could guess, or otherwise learn a victim’s password. The one most common to see in movies and TV shows involving hackers is some variation of brute force attack, in which an attacker will work their way through every combination of possible passwords until they find the right one. This could take many forms, such as a so-called “dictionary” attack whereby the would-be attacker will try every word in the dictionary to see if any of them are accepted.

The downside of brute force attacks for an attacker is that even when using a bot for password entry, they are time-consuming, expensive, and frequently tricky. For this reason, they are not the most prevalent method used to try and gain access to passwords – although still commonplace enough that they are a major tool in the arsenal of would-be attackers.

More common by far is what is known as a credential stuffing attack. In this attack methodology, hackers take credentials that have been leaked or stolen in previous data breaches and then try to use them to access other online accounts to find out if there is a match. For example, an attacker might take usernames and passwords from one online retailer breach and then try to use them to access Amazon accounts, based on the idea that some users may be too lazy to vary their credentials between different accounts and will recycle their passwords and usernames.

Yet More Types of Attack

Related to credential stuffing is what’s referred to as password spraying, whereby attackers will use lists of common passwords – like password123 or 123456 – to try and hack into accounts. While it might seem implausible that any users would use passwords that simple, frequent research reveals that many users continue to showcase that kind of poor security hygiene.

Still another type of attack involves phishing, in which attackers try to trick users into answering an email or clicking a link that they believe to be legitimate. For instance, they might receive an email purporting to be from their bank, asking them to log into their account, via a link provided, to read an important message about their savings. In fact, the link has been carefully set up by attackers and allows them to steal the information provided by the user, which they can then use for their own malicious purposes.

These are just a handful of the ways that attackers can try and seize control of accounts. While the methods may vary, however, the results are the same: Allowing bad actors to inflict damage on those targets they have successfully breached. Account takeovers can enable a range of actions on the part of attackers – from data theft to ransomware infection.

Safeguarding Against Account Takeover

Organizations must ramp up their cyber security measures to protect against account takeover. Some of this is about properly educating users. For example, users should use complex passwords (consisting of both upper- and lower-case, as well as symbols as numbers) and ensure that they do not recycle these across multiple platforms. They should also change passwords regularly (especially when a data breach has occurred) and be able to recognize phishing attempts.

Beyond this, there are multiple security measures that can be employed. Multi-factor authentication can help protect accounts. But for the best, most advanced protective measures, consider solutions specially designed to safeguard against account takeover. Such solutions include the likes of Web Application Firewall (WAF), Runtime Application Self-Protection (RASP), and more. Between them, they provide a combination of automated protection against attacks and visibility for users.

Thanks to solutions such as these, account takeovers no longer have to be something you worry about. Given the risks, that’s likely to be a big weight off your mind.

Leave a Reply

Your email address will not be published. Required fields are marked *