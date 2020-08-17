Password Theft: Another Avenue for Cybercrooks
August 17, 2020
Today’s hackers steal credentials via craftiness, know-how, and brute force
Passwords. We’ve been using them so long and so routinely that we probably can’t imagine our lives without them. And we probably don’t spend too much time thinking about them either – until one of our accounts is compromised and the threat of identity theft, financial loss, or a privacy breach rears its ugly head.
Some users diligently keep records of their passwords; some rely on password managers; and many await the day when passwordless authentication becomes the norm. Until that day arrives, however, we all have to deal with passwords and the possibility that somebody could lift one of ours with the intent to do harm.
For businesses, a password breach can lead to steep losses and reputational damage. No business – whether a sprawling enterprise or a local mom-and-pop shop – is safe from the dangers of password-theft. Hackers use a slew of methods to steal passwords – keylogging, password spraying, credential stuffing, rainbow table attacks, phishing, and more.
Here are three of the most common:
> Phishing/social engineering. These kinds of attacks are usually carried out via e-mail, SMS messages, social media links, or phone calls. By clicking on links leading to spoofed websites, and then entering their credentials, users can unwittingly hand over the very data they seek to protect. Some hackers rely on deception and manipulation, preying on people’s fears, insecurities (and sometimes compassion) to get them to willingly reveal their passwords. A strong e-mail security solution can reduce spam and phishing attempts. And there’s no substitute for educating customers on how to recognize scams by looking for telltale signs in messages, such as misspellings and bad grammar, generic greetings, and fake URLs (those with shortened addresses, misspellings, and/or extra words, for example).
> Credential stuffing. Also known as breach replay, credential stuffing involves using breached data from one service (a social networking site, for instance) to gain access to yet another service (such as a healthcare provider’s website). To reduce the possibility of password theft via credential stuffing, MSPs’ employees and customers should create unique passwords for every service they use and refresh all those passwords periodically.
> Brute-force attacks. Often featured in movies, with either the villain or the hero typing furiously away at a keyboard to find the password and ruin or save the day, these hacking attempts are generally trial-and-error sessions assisted by algorithms. Given that passwords are usually encrypted or hashed, brute-force attackers try multiple combinations to discover an encryption key or the output of a hashed password. For their part, software vendors can render password decryption more difficult by using multiple encryption keys and making sure only the account holder knows at least one encryption key. MSPs, meanwhile, should encourage customers to use hard-to-crack passwords – unique and lengthy, with a combination of uppercase letters, lowercase letters, and special characters – or passphrases to minimize the chances of a breach.
Whether a cybercriminal uses one of those three methods or another, the probability of hitting paydirt depends largely on the security systems deployed by organizations.
