Five most common password attacks

Password attacks are usually the primary cause of most data breaches. Criminals are constantly searching for password vulnerabilities to access organizations' devices, systems, and networks. 

Once attackers breach your company's network, it's extremely difficult to remove them. In some instances, it can take months to remove hackers from a network completely. 

With a password manager, businesses can prevent most password attacks. Password managers allow companies to store their credentials in an encrypted platform, preventing hackers from accessing or stealing passwords in the event of a breach.

We designed TeamPassword specifically for small businesses and startups to store and share passwords safely with coworkers. TeamPassword is the most affordable password manager using state-of-the-art encryption technology to secure your data.

                            

How TeamPassword Prevents Password Attacks

Most password attacks happen as a result of poor credential management and a lack of employee training. TeamPassword improves your company's password security, mitigating the five common password attacks listed below.

            

Two-Factor Authentication (2FA)

2FA adds an extra step to each employee's TeamPassword account. If cybercriminals steal an employee's credentials through a successful password attack, 2FA prevents a full breach.

TeamPassword uses Google Authenticator, which is available for iOS and Android devices. Employees need to enter their password and the six-digit TeamPassword code to log into their account.

Team members can also create backup codes, so they're never locked out of their TeamPassword account—even if they lose their Google Authenticator device.

           

Create Secure Passwords for Every Account

Weak and reused passwords expose a company to many password vulnerabilities. TeamPassword's built-in password generator ensures you create robust credentials for every account and never reuse the same password.

The password generator lets you create passwords 12-32 characters long using letters (uppercase/lowercase), symbols, and numbers. You can also use our password generator to create unique usernames, increasing the strength of your company's credentials.

With all your credentials stored inside TeamPassword, you never have to remember usernames and passwords!

           

Activity Logging and Email Notifications

TeamPassword's activity log records every action team members perform inside the password manager. You can also set up email notifications for sensitive actions or accounts so that you can get ahead of any suspicious activity.

             

Share Passwords Safely

Password attacks often happen as a result of human error and careless credential management. 

TeamPassword allows teams to share passwords securely through the password manager, so you never have to worry about exposing raw credentials through emails, chat apps, spreadsheets, and other unsecure methods.

Instead of entering a username and password, teams use TeamPassword's browser extensions (Firefox, Chrome, Safari) to log into your company's tools, applications, and other accounts.

TeamPassword also has a mobile app for logging in to mobile-only applications. Employees simply copy/paste the credentials they need and log in!

              

Get started with a 14-day free trial and protect your company's digital assets with TeamPassword's robust password manager.

               

5 Most Common Password Attacks

These are the five most common password attacks criminals use to steal your employee's credentials. Using a password manager can minimize or eliminate these types of attacks.

                    

1 - Social Engineering (Phishing)

Social engineering is an umbrella term for many psychological manipulation attacks. Essentially, social engineering attacks con team members into sharing sensitive information or installing malicious software.

Social engineering is often complicated for employees to identify, and many well-educated professionals from government agencies and multinational corporations fall for these scams.

Criminals often use email to launch phishing attacks but can use text (smishing), social media, phone calls (vishing), and other communication methods. Attackers might also impersonate someone to trick employees into revealing sensitive data—which is how a 17-year-old managed to breach Twitter's networks in 2020.

                  

Aside from phishing, social engineering attacks also include:

  1. Spear-phishing - a targeted attack on a specific group or individual where criminals reveal enough data that victims believe they are communicating with a legitimate source.
  2. Watering hole attack - criminals target a website or platform frequented by a specific group of professionals—like a chat room for accountants. Attackers look for vulnerabilities in the website to install malicious code. When victims visit the infected website, they simultaneously download malware and trojans, giving attackers remote access to their device and eventually the company's network.
  3. Baiting - hackers leave an infected storage device (USB drive, CD, external hard drive) lying near a target's location. In a bid to find out what's on the drive, victims insert it into their PC, which immediately installs a malicious package, giving hackers remote access.

              

To prevent social engineering, companies must educate employees and use an effective password management strategy.

                   

2 - Man-in-the-Middle-Attack

A Man-in-the-middle (MitM) attack is where hackers intercept data (passwords included) as it's passed from one system to another. The hackers might relay this information uninterrupted and steal data or manipulate it, so the receiver gets false information.

MitM attacks can happen wherever data passes through a network or from one system to another. For example, if an employee uses an unencrypted public WiFi network, hackers can intercept the data they send and receive—stealing passwords and other sensitive information.

MitM attacks often happen when websites or servers don't use secure HTTPS encryption. Attackers install malicious code on these websites, allowing them to intercept any data passed through forms—including usernames and passwords!

In 2017, Equifax had to pull its mobile apps from the Apple App Store and Google Play because it had security flaws vulnerable to MitM attacks with traffic passing through HTTP instead of HTTPS servers.

TeamPassword prevents MitM by hashing, salting, and encrypting your passwords locally on your computer before uploading them to our servers. If attackers manage to intercept data, they're unable to read or decode it!

                       

3 - Brute Force Attack

Hackers use automated tools to crawl websites, trying username and password combinations until they find a match. With tools like Google reCaptcha and two-step authentication, these brute force attacks are less successful than they were ten years ago, but hackers continue to try!

If your company uses the WordFence WordPress plugin, you'll notice bots bombard your website with these sorts of brute force attacks all day, every day.

Brute force attacks are highly effective for hacking accounts where victims use a weak username and password combination. For example, using the company's name or an employee gives attackers half of your credentials.

Creating unique, random usernames paired with a strong password minimizes the chance of falling victim to brute force attacks.

                        

4 - Credential Stuffing Attack

Credential stuffing attacks are similar to brute force attacks and common fallouts from data breaches. Hackers use credentials stolen during a data breach to access other websites and applications where victims might use the same username and password combination.

Criminals auction these stolen credentials on the dark web, often selling the same database to multiple buyers, resulting in attacks from numerous unscrupulous individuals.

Credential stuffing is a fully automated attack system where criminals use bots to visit websites and platforms to find a match.

Credential stuffing attacks are relatively common, and criminals have breached big corporations like Superdrug (UK retailer) and Uber. 

In 2016, criminals used stolen credentials from a previous data breach to access one of Uber's private GitHub repositories for the UK and Europe. The 12 Uber employees hadn't activated two-factor authentication, so hackers were able to easily login. The attackers also gained access to Uber's AWS datastore, making off with more than 32 million Uber driver records!

There is an easy solution to eliminate the risk of credential stuffing—never use the same password more than once! Users should also use two-factor authentication, which will prevent both brute force and credential stuffing attacks.

TeamPassword's password manager uses two-factor authentication to prevent attackers from accessing your account, even if they steal an employee's credentials. You can also create backup codes so employees are never locked out of their TeamPassword account.

                    

5 - Dictionary Attack

A dictionary attack is similar to a brute force attack, except criminals narrow down a list of possible passwords. These words or phrases might include an individual's pets, kids, address information, company details, date of births, the platform's name, and other commonly used passwords.

Criminals create an algorithm that cycles through these "dictionary words" until they find a match. How do hackers get this information?

It's freely available on company/personal websites and social media. With less than an hour's research, hackers can learn your pet's and family members' names, when you celebrate birthdays, where you live, work, and go to the gym. They can enter all of these keywords into their algorithm and let bots do the rest.

With TeamPassword's password generator, you never create familiar or recognizable passwords—eliminating any risk of your company falling victim to dictionary attacks.

                       

Try TeamPassword to Protect Your Passwords

The biggest takeaway from this article is:

  1. Never reuse passwords
  2. Don't create weak passwords or use familiar phrases
  3. Always use two-factor authentication when it's available

                       

Protect your company from password attacks with TeamPassword's secure password management solution. Try TeamPassword for 14 days to test sharing passwords safely with your team.