The Most Common Password Theft Attacks Revealed

Plus, a few tactics that protect your sensitive data

New research has shown that despite years of warnings from cyber security experts, people around the world are still relying on frequently used passwords to secure their accounts. 

Whether it’s “123456”, “qwerty” or “iloveyou,” passwords such as these put users’ sensitive data at risk. Or, as PC Mag puts it, “laughingly insecure”.

According to TechRepublic, approximately 70 percent of the most commonly-used passwords worldwide can be cracked in less than a second. Short passwords make it easy for threat actors to gain unauthorized access. 

Many of us picture hackers as lone-wolf figures, working solo in a dark basement somewhere. In reality, this couldn’t be further from the truth. Today’s cybercriminals work in teams and are well supported with a range of crime-specific software solutions and advanced tools they can leverage.

Are you curious about how these threat actors manage to crack users’ passwords and gain unauthorized access to their accounts? We were too, so we compiled this list of the most common password theft attacks.  

7 common types of cybersecurity attacks

1. Dictionary attacks

As the name suggests, a dictionary attack involves systematically trialing words from the dictionary in order to access an account, a network, or a device. Threat actors use software to “guess” a password by testing commonly used words and phrases. They may also adjust several characters from letters to symbols, such as swapping E for 3 and A for @.

A dictionary attack has a relatively high chance of success if the account has an insecure or common password. It is not just online accounts at risk, either. Hackers may also use this attack to decrypt stolen, password-protected files such as those sent between colleagues. Dictionary attacks are a type of brute force attack.

See also  Avoid These 5 Mistakes When Buying A Bedroom Humidifier

2. Brute force attacks

Also known as brute force cracking or an exhaustive search attack, brute force attacks are somewhat like losing an item in your home and looking in every possible spot, hoping that eventually, you’ll stumble upon the right location. However, far less human effort is involved as computers do all the hard work. 

Although simple, brute force attacks are often successful. In 2017,  the UK and Scottish parliaments both fell victim to a brute force attack. In 2018,  Cathay Pacific Airlines suffered the same fate and was forced to pay a substantial fine for a lack of cybersecurity preventative measures. 

Dictionary attacks are the most common type of brute-force attack, but they are not the only ones. 

3. Credential recycling

Hackers use previously compromised usernames and passwords, such as those involved in other data breaches, to try and gain access to accounts, systems, or devices. You can check if any of your passwords have been compromised in the past on a site like, Have I Been Pwned.

4. Reverse brute force attacks

This type of attack relies on known, high-use passwords. Threat actors start with a common password such as “suns” and then brute force a username to match the password. As “suns” is among the globe’s most common passwords, this basic technique is more successful than we imagined. 

5. Rainbow table attacks

In a rainbow table attack, the hackers use a rainbow hash table, a type of database, to hack passwords that are stored in another database. Although sensitive data, such as passwords, are hashed (encrypted) several times to prevent rainbow table attacks, this attack type leverages the power of cryptanalysis to compute and compare hashes of large data sets efficiently.

See also  Economic Impacts of the Quantum Internet: Opportunities and Challenges

6. Phishing attacks

Phishing is a form of social engineering. As a password attack, it involves manipulating a user into handing over their password or user name. A threat actor may send a deceptive email asking a user to log into their bank account using a provided link. The link leads to a fraudulent website that looks legitimate to the user, who then logs in. The attacker then learns the user’s account details and copies them. 

Note that phishing via email or text message is just two forms of social engineering attacks. Threat actors may also make phone calls to victims posing as a representative of their internet service provider or a telecom company to trick them into providing their credentials.

7. Man-in-the-middle (MITM) attacks

As the name suggests, a man-in-the-middle attack involves a threat actor positioning themselves between the user and the application or account they’re attempting to access to “eavesdrop” and gain access to the user’s sensitive information.

Once privy to the “conversation” between the user and the application or service they were accessing, the hacker can either eavesdrop or pretend to be either of the parties involved. The ultimate aim remains the same, though: to steal account credentials. 

As you can see from the seven attack types outlined above, the tactics employed by threat actors run the gamut from basic manipulation to advanced cryptography. 

So what tactics can you employ to protect yourself from password theft in today’s advanced threat landscape?

How to protect passwords and accounts

The best way to avoid becoming a cybercrime statistic is to follow the guiding principles of good password hygiene. Here’s what to do:

Use long and unique passwords

As we’ve learned, threat actors use advanced software to perform brute force attacks. Passwords that are less than eight characters are statistically easier to crack than a password that’s longer than 12 characters, so it only makes sense to choose long passwords. 

See also  IMPORTANT TO KNOW -DISADVANTAGES OF BITCOIN INVESTMENT

You should also aim for uniqueness and complexity. Don’t use any well-known words, passwords, common swaps (@ for A), or recognizable phrases.. If coming up with long and unique passwords is difficult, enlist the help of a password manager.

Oh, and never repeat passwords across accounts. 

Use a password manager

The average user in 2022 holds around 20 to 30 different online accounts, and each of these should be protected with a robust password. It’s a lot to ask of one’s memory, so choose a trusted password manager such as LastPass to help you manage your account credentials.

You’ll only need to log in to your password manager once per day or per session with a single master password, and the software will do the rest of the work for you. 

Don’t log in to your accounts on unknown networks

Open and public WiFii networks are the digital equivalent of the wild west: there are many potentials for threat actors to perform MITM attacks or to infect your devices with malware and other digital nasties. 

If you absolutely must log in to an account from an open WiFi network, make sure your VPN is turned on first to shield your activity from any would-be cybercriminals. 

Be suspicious

The best way to prevent successful phishing attacks is to possess a healthy level of suspicion. Does your bank’s app look a little strange? Do the colors on its website seem to have changed slightly? If so, don’t log in. 

Likewise, if you receive an email or a text message where the grammar, spelling, or something else seems a little “off,” don’t trust the sender and report the email as spam immediately.

Follow the tips above to stay safe in the digital realm and prevent threat actors from cracking your passwords. Despite the tools and techniques at their disposal, a strong password strategy goes a long way toward protecting your accounts and sensitive data.