Password attacks: How to combat them

General | November 15, 2022 | 3 min read


“Treat your password like your toothbrush. Don’t let anybody else use it, and get a new one every six months.” – Clifford Stoll, Astronomer and engineer

This identity security week, it’s important to understand the importance of passwords in cybersecurity, how easily they can be compromised if you are not careful, and how ManageEngine ADSelfService Plus helps fortify your passwords and enhance your organizational security.

It’s 2022—Are passwords still relevant today?

Technology is fast-paced. A lot has evolved in cybersecurity over the last few years—security norms, device smartness, biometric authentication, and security best practices. But one thing has never lost its significance: the password.

Passwords still serve as the simplest and most effective means to guard access to data, privileged accounts, or most digital resources. Passwords never go out of fashion because they are easy to use, easy to change if needed, cost-effective, and do not demand additional software or hardware to function.

Where there are passwords, there are password attacks

Passwords, being pivotal in identity security, are also prone to numerous security attacks. A password attack occurs when a threat actor tries to gain illicit access to a resource that is protected by a password, either by maliciously cracking, guessing, or stealing the password.

Protecting passwords against attacks is no joke considering the diverse genres of password attacks that hackers have mastered. A blog on data breaches by The Data Administration Newsletter states that hackers steal an average of 75 records every second. Here are some prevalent password attacks:

  • Phishing: Attackers send fraudulent emails or messages that convince users to click disguised but malicious links that extract passwords.

  • Brute-force attack: This trial-and-error method features threat actors trying many passwords to gain access to a resource. Password guessing, password spraying, dictionary attack, and credential stuffing are some of the common types.

  • Keylogger attack: Attackers use key logger malware which tracks all the keystrokes of a user to obtain their password.

  • Man-in-the-middle attack: As the name suggests, in this attack, hackers position themselves in between a user and a website the user is trying to access. They disguise themselves as the legitimate website and redirect users to a fraudulent one where the users are tricked into providing sensitive information.

  • Social engineering attack: In this attack, hackers psychologically manipulate users to reveal sensitive information. They attempt to create a sense of curiosity, fear, or urgency in users through SMS, email, or direct call-based interactions. Phishing is also a type of social engineering attack.

Fret not—The power to enhance your password security lies in your hands

With the right measures in place, you can achieve impeccable password strength and a great security posture. These security measures combat password attacks:

  • Strong password policies: Enforcing strong password policies in your organization helps employees choose passwords that satisfy the strong password requirements of various compliance regulations.

  • MFA: Mandating MFA with passwords ensures that attackers do not gain access to resources even if they have stolen or hacked passwords.

  • Employee awareness: Educating employees about password attacks and password strength is key to helping them set strong passwords, and avoiding inadequate, easily hacked password choices like “123456” and “Qwerty123”.

ADSelfService Plus can help improve your company’s password profile

ManageEngine ADSelfService Plus is an identity security and Zero Trust solution that helps your organization enforce strong, custom password policies; adaptive MFA; self-service password management; and more.

ADSelfService Plus’ Password Policy Enforcer allows you to enforce custom password requirements like mandating the number of special characters, restricting consecutive characters from usernames or previous passwords, and restricting custom dictionary words and patterns. The Password Strength Analyzer helps your users create secure passwords by displaying the strength of the password during creation. ADSelfService Plus also offers context-based MFA with 19 different authentication factors to secure user identities.

Deploying ADSelfService Plus helps your organization comply with password and data compliance standards, like the NIST SP 800-63B, the GDPR, PCI DSS, and SOX.

To discover more about ADSelfService Plus’ identity security offerings, schedule a free, personalized web demo with a product expert. To try ADSelfService Plus for yourself, download a 30-day, free trial.

Next in the series – How not to become a corporate account takeover victim 101.