Thousands of Canadian citizens are at risk of identity fraud after cybercriminals used stolen credentials to access government services including COVID-19 relief funds. The source of the breach was a credential stuffing attack utilizing logins exposed in a prior breach. This is the latest example in a steady stream of data breaches driven by poor password practices.
The Verizon DBIR highlights that passwords remain the dominant security faultline and there are multiple ways that these attacks manifest themselves. Read on for more on the common ways that password attacks happen.
Brute Force Attacks
What it is: These are offline attacks with passwords
How it happens: This automated attack is a high volume guessing strategy reliant on trying every possible password combination. Cybercriminals use automated software to attempt as many guesses as possible with the goal of eventually finding the right combination and gaining access to an account. With brute force attacks, perseverance pays. There is no black art behind this type of attack. It relies solely on continuing to target the system with guesses. Hackers use a list of common passwords and try the most common combinations first to attempt access.
Password Spraying
What it is: These are online attacks with passwords
How it happens: This approach relies on trying a few commonly used passwords against a large number of accounts. Its success assumes that there’s likely to be one person using a common password within a large group of people. This method is slower than a brute force attack but allows hackers to attempt to gain access without getting locked out. As a result, this strategy can be a more effective, albeit slower, approach than targeting specific users. The bad actor can fly under the radar when undertaking this type of attack.
Credential Stuffing
What it is: These are online attacks with credentials exposed in prior data breaches
How it happens: This method exploits the reuse of passwords by users across multiple sites. Password reuse remains a huge problem, as we have delved into detail here. Due to password reuse, if a cybercriminal obtains credentials for a personal account, they can also get into that person’s work account. As a result, when a data breach occurs, compromised credentials are a threat to multiple sites, not just the organization that experienced the breach.
Both consumers and organizations need to understand the different strategies that hackers deploy and take steps to mitigate the risk from password attacks. Learn more about how Enzoic is solving the threat from poor password hygiene with its automated solutions.