Cracked Wide Open
Over the past decade, the number of data breaches in almost all industries has skyrocketed. From healthcare to finance, user credentials have become both the tool of cyberattack and one of its primary targets. The 2021 Verizon DBIR report indicated that upwards of 61% of breaches involved leveraged credentials.
Communicating clearly about the problem
The Open Web Application Security Project (OWASP) is a nonprofit foundation that improves software security. OWASP recently produced an Automated Threat Handbook intended to provide a common language for developers, business executives, cybersecurity professionals to communicate and tackle the overarching issues.
Within their digital handbook, OWASP provides a list of umbrella terms describing types of threats and attack methods—from Spamming and Sniping to Ad Fraud and CAPTCHA Defeat. OWASP calls out “Credential Cracking” as a top-level term related to credentials.
Credential cracking is the process of “identifying valid login credentials by trying different values for usernames and/or passwords.” Underneath this umbrella category of credential cracking, there are several more specific terms. These variations include: “Brute-force attacks against sign-in”; “Brute forcing login credentials”; “Brute-force password cracking”; “Cracking login credentials”; “Password brute-forcing”; “Password cracking”; “Reverse brute force attack”; and “Username cracking; Username enumeration.” All these techniques involve cybercriminals interacting with a User Identity Authorization Process to identify valid credentials.
OWASP also calls out “Credential Stuffing” as another top-level category due to how frequently it occurs. Credential stuffing is fundamentally a form of credential cracking but explicitly involves the large-scale use of username/password pairs to verify which credentials are valid.
With any of these techniques, once the hacker has found valid login credentials, the real problems begin. Not only can credentials be used to infect a system with malware or disrupt an entire network, but they can be bought and sold as a commodity. For example, bad actors might sell high-value credentials individually or trade them on the dark web.
Taking next steps to protect your organization
The issue of compromised credentials seems daunting, but fortunately, there are some solutions out there. There are several countermeasures that organizations can take:
- Preventing users from selecting passwords circulated on the web
- Applying throttling after multiple login attempts
- Employing multifactor authentication
- Continuous monitoring for compromised credentials
One of the most streamlined and effective ways to combat the credential crisis is to screen passwords against those leaked on the dark web. Simply preventing users from re-using passwords found on these unsafe password lists goes a long way to limit cybercriminals cracking efforts.