Attacks on credentials are the easiest and most effective way for attackers to gain access to servers and private resources.
- In 2009, an attacker cracked a password to a support staff account at Twitter, and gained access to an admin control panel. This allowed them to hijack many user accounts, including the account of the U.S. President. What was the password to the support staff account? It was happiness. Credentials are a standard feature of every website. Developers use credentials to configure the server and to upload code. Users have credentials which allow them to log in to password-protected areas of the site. Credentials can grant an attacker easy access to do harm. There are several attacks which can be made on credentials. There's credential theft, brute-force attack, dictionary attacks, and credential stuffing. Credential theft is pretty straightforward. Someone discovers your username and password. Hopefully, you already know better than to keep your credentials on a post-in note next to your monitor. You should also be careful about sending passwords over email. There's a small threat of it being viewed in transit, but the larger threat is in storage. Emails get filed away, stored for years, and are searchable. Your security will depend on data stored on someone else's computer. In 2014, the CEO of Sony Pictures learned that lesson the hard way. After a major data breach, all of his emails were posted online, including one where he'd forgotten his password and his assistant, helpfully, sent it to him. Data breaches are the most common source of credential theft. It's become common for an entire database of user credentials to be exposed. These databases are valuable to hackers. They're shared and sold before they eventually become publicly available. Hopefully, the passwords in the database are well-encrypted and not in plain text, but even encrypted passwords can be discovered if a hacker has enough time and motivation. A brute-force attack is when an attacker uses software to try every combination of characters in order to guess a password. It is trial and error. They could attempt a brute-force attack against a log-in page, or if they have a database of encrypted passwords from a data breach, they can try to brute-force each one by running guesses through an encryption algorithm until a result matches the encrypted password. The total time necessary to try all combinations of a password depends on several variables, the possible characters, the length of the password, and the speed of each attempt. The number of character possibilities raised to the power of the length tells you how many combinations there are. Then you multiply that by how fast a computer can try each one, to find out how long it takes to try them all. Now, this is not the actual time. If your password was a repeated lowercase A, then it might be the very first password tried. This is the total time to try all possibilities. It's like searching for a needle in a haystack. Since we can't know where the needle will be located inside the haystack, or even how the search will proceed, we use the size of the haystack as a way to measure the strength of the password. Time per attempt decreases as computers become faster. Botnets and distributed computing allow for millions of guesses per second. Specialized hardware rigs can try billions of guesses per second. The other variables have to increase in order to keep a password difficult to guess using brute-force. We'll talk about how to do that in a moment. A dictionary attack is also a brute-force attack, but it's one which prioritizes words in a dictionary over random combinations. Users prefer passwords with common words because they're easy to remember. But attackers know this fact, so they prioritize dictionary words first. It does not change the total time required to try every combination, but it can greatly reduce the actual time required to find the correct password. A dictionary for guessing passwords is not just a basic dictionary like Webster's. It includes common passwords like password1234, qwerty, and letmein. It includes inventive spellings and letter substitutions. Most importantly, it includes millions of passwords which have been made public by large database breaches. If a password was used once, it becomes a good candidate to try again. For example, the password NCC-1701 often shows up in leaked databases. It may seem random at first glance, but to the many fans of Star Trek, it's the registry number of the USS Enterprise. This leads us to credential stuffing. As soon as a database breach happens, attackers race to other sites around the internet and try these newly-discovered credentials. They know users frequently choose the same usernames and passwords. If it works on one website, it may work somewhere else. They use an automated process which can quickly try many credentials across many sites. Credential stuffing is an affective attack, which is rapidly growing in popularity. It's become so popular that a successful hacker's first action is usually changing the account password in order to block access to the other hackers who are also trying credential stuffing. Understanding these common attacks on credentials is the first step to preventing them.
- Threat models
- Least privilege
- Defense in depth
- Validating and sanitizing input
- Credential attacks
- SQL injection
- Cross-site scripting