What Is a Password Guessing Attack?
Hackers never rest, and this truth is nowhere more apparent than in the world of password security.
What is a password guessing attack? A password guessing attack is the use of brute-force techniques to attempt to guess a password and break into a user’s account.
Primary Forms of Password Attacks
Authentication systems that use passwords are vulnerable precisely because of their ease of use. That is because it’s so easy to implement password systems (especially when considering how much power such systems place in the hands of the user) it also seems equally easy to crack these systems.
And the truth is modern technology has yet to make it easy to maintain strong password security. Always-on SaaS accounts provide unfortunate honey pots for hackers, and users with dozens, if not hundreds, of passwords will often cut corners by using common password phrases and reusing these passwords all over the place.
Because users and technology are often so predictable, there have been an equally predictable and effective set of hacks in place that malicious users have deployed to compromise user accounts since the advent of networked computing.
Some of these password attacks include:
- Brute-Force Guessing: The simplest of simple, brute-force guessing is the use of a list of passwords thrown at an authentication interface with the hopes that, over time, the password will be stumbled upon.
- Dictionary Attacks: A more refined form of guessing attack, dictionaries use curated lists of common phrases, password permutations, and other potential keys to breaking into accounts.
These dictionaries can be more or less sophisticated. Some may include highly-specific password combinations gleaned from other sources, such as social engineering attacks or database breaches (a form of attack known as credential stuffing).
- Password Spraying: While dictionary attacks go in-depth by attacking a single account with a lengthy list, password spraying takes the opposite approach by attempting to attack multiple accounts over time using common phrases.
These breadth-focused attacks can play the numbers game by locating users with poor password hygiene from a large pool.
- Phishing: Phishing attacks are a form of social engineering in which attackers send emails, SMS texts, or other forms of communication to fool users into giving up their passwords. Phishing attacks are often the most popular form of attack and can complement guessing approaches by feeding common passwords.
Password Guessing vs. Password Cracking
Password guessing and password cracking are two terms often used interchangeably. And, to be fair, there are several similarities between the two. However, they are also different in very general ways.
A password guessing attack is one where the attacker uses some tool to guess the password. Dictionary attacks, credential stuffing, brute-force attacks and password spraying are all forms of guessing attacks.
Password cracking, on the other hand, more often refers to offline attempts to break passwords, typically from stolen databases. These attempts can sometimes include brute-force encryption breaking or rainbow table cracking. Other approaches, like dictionary attacks, can be used to crack passwords on local machines or software access.
A few types of attacks will sometimes get lumped into the cracking/guessing conversation. Man-in-the-Middle attacks and malware keyloggers are threats to passwords. Still, they don’t fall under either guessing or cracking because neither involves actually breaking a password (they involve stealing it).
Best Practices for Preventing Password Guessing
There are some basic best practices that an organization can put into place to mitigate guessing attacks. In the year 2023, these best practices are generally expected to be in place at almost any enterprise organization. Most consumer products will include one or more of these.
These best practices include:
- Require Strong Passwords: Long, irregular, and complex passwords are much harder, if not impossible, for guessing attacks to succeed.
The philosophy behind what constitutes a strong password may differ from one expert to the next, but generally speaking, passwords over 8-10 characters, using a variety of characters (upper- and lowercase letters, numbers, special characters), and not matching or resembling any common words or phrases.
- Force Changes of Default Passwords: Many software packages and platforms will come with a default password so users can access their accounts for the first time. One of the biggest mistakes many hardware and software users make is not changing the default password–which is easy to do when not prompted.
Hackers who know common passwords for hardware types can easily guess their way into access. That’s why you must force users to change their defaults before they can access system features.
- Implement Login Attempt Limits: Guessing attacks will rely on one common capability before any other; the ability to repeatedly submit credentials to the same account until they gain access.
The straightforward solution is to make sure that no user can repeatedly attempt to login to the same performance and fail without any system response. By limiting login attempts, you can effectively stop a password guessing attack.
- Implement Multi-Factor Authentication: Single-factor password authentication limits the security available for user accounts. If a password is cracked by some hacker halfway across the world, the system cannot address the issue.
Implementing MFA measures can eliminate cracking issues because the cracker cannot spoof biometrics or gain access to email accounts or mobile devices.
- Use Passwordless Authentication: if there isn’t a password to enter, the hacker can’t guess the password. While passwords won’t 100% mitigate all attacks, they will go a long way in eliminating basic authentication attacks like cracking, guessing, and even password theft.
Use 1Kosmos Passwordless Authentication to Eliminate Password Guessing Attacks
When it comes to real and long-lasting investments in authentication security, it’s necessary to get solutions that can provide password protection from front to back. That means having real security on the backend to avoid hacks and streamlined protection on the front end to mitigate guessing and phishing attacks.
1Kosmos BlockID provides such security backed by the decentralized private blockchain and robust biometrics and MFA, BlockID also makes onboarding simple and authentication a breeze.
1Kosmos comes with the following features:
- Identity-Based Authentication: We push biometrics and authentication into a new “who you are” paradigm. BlockID uses biometrics to identify individuals, not devices, through credential triangulation and identity verification.
- Identity Proofing: BlockID verifies identity anywhere, anytime and on any device with over 99% accuracy.
- Privacy by Design: Embedding privacy into the design of our ecosystem is a core principle of 1Kosmos. We protect personally identifiable information in a distributed identity architecture, and the encrypted data is only accessible by the user.
- Private and Permissioned Blockchain: 1Kosmos protects personally identifiable information in a private and permissioned blockchain, encrypts digital identities, and is only accessible by the user. The distributed properties ensure no databases to breach or honeypots for hackers to target.
- Interoperability: BlockID can readily integrate with existing infrastructure through its 50+ out-of-the-box integrations or via API/SDK.
Sign up for our newsletter to learn more about how BlockID can support real security and help mitigate phishing attacks. Also, read our whitepaper on how to Go Beyond Passwordless Solutions.