Malicious actors value user names and passwords highly because they open the door for stealing information and staging future attacks. With access to even a single employeeโs account, malicious actors can deploy ransomware or siphon crucial data, so they have developed multiple attack strategies that attempt to find out a userโs credentials with little effort. By becoming familiar with these attacks, small businesses can see the patterns that make these attacks work and adapt their password hygiene and cybersecurity infrastructure to stop them early.
Brute Force
In a brute force attack, hackers will simply make repeated login attempts using as many character combinations as needed until they eventually land on the correct credentials for an account. To make this attack form more reliable, malicious actors employ automated programs that run continuously to make login attempts at speeds faster than humans could. Hackers will often target network accounts that arenโt protected or have gone unused after an employee leaves a company. Brute force attacks can be defended against relatively simply by implementing strong password requirements for users and setting up multifactor authentication (MFA) that will notify your IT team when excessive login attempts are made.
Credential Stuffing
Hackers will also use information stolen during third-party data breaches to make login attempts at a targeted business. This form of password attack is called credential stuffing, and it occurs when malicious actors take a set of known credentials and try to use them to log in to other services. For example, an employee could the same username and password for work and a social media account, and their social media account credentials can be stolen in a data breach. A malicious actor could then acquire that userโs social media credentials on the dark web and then attempt to log into their work account. This attack form stresses the importance of never repeating passwords across accounts.
Password Spray Attacks
In a password spray attack, generic, low effort passwords will be used on every account a hacker can obtain the username for to find one that has poor password hygiene. Because many services will lock accounts after repeated unsuccessful login attempts, malicious actors will avoid detection by targeting a wide range of accounts rather than one specific user. This form of attack requires a malicious actor to have access to a wide range of account usernames, and it can be hard to detect. A companyโs IT department may not be able to notice any malicious activity unless they can see an influx of unsuccessful login attempts across the company or multiple users report the strange activity on their account.
Summary
A common thread that links all of these attacks together is a reliance on poor user password hygiene. Employees can be tempted to use the same credentials repeatedly across services or not put much effort into the unique passwords they make, and this can have devastating consequences. Our team of security specialists here at Robinett Consulting recommend implementing strong password requirements for users along with security services such as multifactor authentication that can help your IT team detect suspicious activity before the bad guys gain access to your network!
