A few weeks ago, we reviewed some of the worst website hacks we’ve ever seen. Every one of them started with poor password choices and escalated into a disastrous event for the site owner. Strong passwords and good password hygiene are often the first line of defense.
On September 29, 2020, the Wordfence Live team covered the 10 Worst Password Mistakes We’ve Ever Seen. This companion blog post reviews the most Common Ways Attackers Are Stealing Credentials to shed some light on common ways malicious actors are obtaining passwords so that you can make better decisions about your credentials
We will follow-up with an additional post summarizing the 10 mistakes we covered in Wordfence Live.
You can watch the video of Wordfence Live below.
Here are timestamps in case you’d like to jump around:
- 0:00 Introduction
- 7:43 What is a password?
- 9:48 Common attack methods that compromise passwords
- 10:10 Credential stuffing
- 12:07 Brute force and dictionary attacks
- 13:57 Shoulder surfing
- 15:07 Social engineering
- 18:02 Phishing
- 20:15 Wireless sniffing
- 22:17 Man in the middle attacks
You can click on these timestamps to jump around in the video.
What exactly is a password?
Passwords are a critical component of our lives online. They act as keys granting access to our favorite shopping sites, our bank accounts, our social media and email accounts, and even our WordPress sites.
A password is used to prove your online identity. A username acts as an identification mechanism to tell a site who you are, while a password acts as an authentication mechanism to verify that the identity you are claiming is truly and authentically your identity.
It is incredibly important to safeguard your passwords and follow password best practices. Passwords protect your online identity. If any of your passwords are compromised, attackers can gain access to online accounts and sensitive information, causing irreparable harm to your business, your livelihood, and even your personal identity.
What are some common password-stealing attack methods?
No matter what kind of password attack is being used, the end goal for the attacker is to “spoof” your identity by using your compromised password and successfully authenticate as you. Here are the most common methods of stealing or compromising passwords to gain unauthorized entry.
Attack Type #1: Credential Stuffing
Credential stuffing occurs when an attacker already has access to username and password combinations which are commonly obtained from data breaches. In this kind of attack, attackers send automated requests containing these username and password combinations to try to successfully authenticate as you. If successful, attackers can steal your sensitive data, make changes on your account, or even impersonate you. A targeted credential stuffing attack might succeed within a single try, while a large-scale campaign might try millions of combinations against a single site.
To combat credential stuffing attacks, make sure you are not reusing passwords across sites. Monitor your credentials to verify that they haven’t been exposed in a data breach with a service such as haveibeenpwned.com. If your passwords are ever compromised, change them immediately.
Attack Type #2: Password Cracking Techniques
There are several password cracking techniques that attackers use to “guess” passwords to systems and accounts. The top three most common password cracking techniques we see are brute force attacks, dictionary attacks, and rainbow table attacks.
In a dictionary attack, an attacker will use a dictionary list of words and combinations of dictionary words to try and guess the password. They may use single dictionary words or a combination of dictionary words, however, the simplicity of having a dictionary list is what makes this an attractive attack method for attackers.
A brute force attack takes things a little further than a dictionary attack An attacker will try various different combinations of letters, numbers, and special characters to try and “guess” the right password. Establishing resources to automate brute force attacks is easy and inexpensive, and attackers usually end up with large databases of credentials due to users using weak passwords.
A rainbow table attack occurs when an attacker uses a precomputed table of hashes based on common passwords, dictionary words, and pre-computed passwords to try and find a password based on its hash. This typically occurs when an attacker is able to gain access to a list of hashed passwords and wants to crack the passwords very quickly. In many cases, credential breaches only contain hashed passwords, so attackers will often use rainbow table attacks to discover the plaintext versions of these passwords for later use in credential stuffing attacks.
Password cracking attacks are quite common and one of the most prevalent types of attacks next to credential stuffing. WordPress sites are often heavily targeted by these attacks.
Weak passwords can take seconds to crack with the right tools, making it incredibly important to use strong, unique passwords across all sites.
Attack Type #3: Shoulder Surfing
Shoulder surfing occurs when a malicious bystander observes the sensitive information you type on your keyboard or on your screen from over the shoulder.
This can occur anywhere, whether in an office space, in a coffee shop, on an airplane, etc. Anywhere you access or enter sensitive information while in a public venue can put your passwords at risk. If you are not aware of your surroundings when logging in to sites in public spaces, or in your office, then you can fall victim to this attack.
Be aware of your surroundings when authenticating into sites or resources and ensure no one is watching you. Privacy screens that block screen visibility can be protective if you frequently work in public spaces.
Attack Type #4: Social Engineering
Social engineering targets the weakest link in security: humans. These attacks are incredibly common and often fairly successful. Social engineering is primarily a psychological attack tricking humans into performing an action they might not otherwise do based on social trust. For example, an attacker might engineer their way into a corporate physical facility. Once inside, they could approach an employee and say they’re troubleshooting a problem with a very specific service, and their credentials aren’t working.
Social engineering can happen in many ways, including in person, over the phone, through social media, through email phishing. To protect yourself, verify the identity of anyone requesting sensitive information or passwords. Never share sensitive information, especially your passwords, with someone you don’t know, don’t trust, or cannot verify. If possible, never share your passwords with anyone, even if you do trust them.
If you have employees, have them participate in security awareness training to learn how to recognize different social engineering attacks and prepare for reporting and alerting others when a suspected social engineering attack targets an organization.
Never provide sensitive information or passwords to strangers, regardless of who they claim to be. If a help desk technician is calling you saying they need your credentials, verify with your boss first or just say no. In most cases, reputable service providers have alternate ways of obtaining information that will not require your credentials.
Attack Type #5: Phishing
While often considered a subcategory of social engineering, phishing is so prevalent that it deserves its own “attack” category. Phishing occurs when an attacker crafts an email to look like it is coming from a legitimate source in order to trick the victim into clicking a link or supplying sensitive information like passwords, social security numbers, bank account information, and more. These emails can range from beautifully crafted and imperceptibly close to the real deal to laughably simple and obviously fake.
Targeted phishing attacks, known as spear phishing, are incredibly effective and often appear to come from a trusted source such as a boss or coworker. If you receive an email from someone you trust asking for something unusual, verify that it was sent by the person who appeared to have sent it by calling them on the phone, talking to them in person, or using some other method of communication.
Verify the source of any email you receive by checking the email headers. We also recommend that you avoid supplying any sensitive information to someone you don’t fully trust. Never click links in emails as they can often lead to phishing kits designed to collect your credentials and hand them over to attackers. To check the validity of the information emailed to you, close your email, and type the name of the institution that purportedly sent the email into your browser location bar to login to their site.
Attack Type #6: Wireless Sniffing
An attacker using tools to examine network traffic can “sniff” the network to capture and read packets of data sent. Wireless sniffing captures data being sent between an unsuspecting user’s computer and the server that the client is making the request to. If a site isn’t using a TLS/SSL certificate, an attacker with these tools can easily obtain your passwords just by capturing the packets that are sent.
Use a VPN when accessing sites on public wifi so that an attacker cannot easily capture and read your data. If your WordPress site is not using a TLS/SSL certificate, your WordPress credentials are being sent in plaintext whenever you login. Ensure that you have a TLS/SSL certificate installed on your WordPress site to help keep your site visitors’ data, including passwords, safe in transit.
Attack Type #7: Man-in-the-Middle Attack
A Man-in-the-Middle attack occurs when an attacker intercepts traffic, acting as the receiving server of requests and subsequently observing all the traffic being sent to the server they are attacking before forwarding the packets to the legitimate server. This can occur in many different situations, from accessing a website from your home to accessing resources in an office.
Your best protection when it comes to man-in-the-middle attacks is to ensure the site you are visiting is trusted, and the SSL/TLS certificate installed on the site is valid. Google will alert you if there is something suspicious about the SSL/TLS certificate on a site, so if you get that warning, make sure to avoid entering any sensitive information or passwords into that site. You can also use a VPN so that your data remains encrypted when traversing any network.
Today, we covered some of the most common password stealing techniques in use today. Understanding these attack types is important to know how hackers can gain access to your passwords. By better understanding what attackers are doing, you can better understand what you need to do to protect yourself against password compromise.
This is the first of two related posts. We will be following up with an additional post diving into the top 10 Worst Password Mistakes We’ve Ever Seen.
We often recommend that you share our posts with colleagues and friends that are affected. Today we are asking that you share this post with everyone from your grandma to your next door neighbor. Password theft affects everyone. By sharing this post with everyone, we can hopefully raise awareness about password security and its importance, and make the internet a better and safer place for everyone.