InfoSec / Cyber

Hands typing in a password field, showing the password field as asterisks

Types of Cyber Attacks: Password Attacks

Malicious threat actors (hackers) are always developing new techniques to breach passwords.  This article lists the different types of password attacks and some defences/counter-measures which can be used to enhance password security.  In our experience, hackers are most successful at accessing school systems unlawfully using these methods.  Passwords continue to be a primary target for cyber criminals seeking unauthorised access to accounts.

Password security is a shared responsibility and proactive measures can go a long way in preserving online safety.

  1. Brute Force Attacks - involve systematically attempting all possible combinations of characters until the correct password is discovered.  Ways to mitigate brute force attacks are account lockouts or measures like CAPTCHA to slow the repeated login attempts down.
  2. Dictionary Attacks - the attacker uses a precompiled list of commonly used passwords, dictionary words, and known phrases.  By systematically trying each entry, they can gain access to an account.  Counter measures would include enforcing strong password policies, such as password complexity requirements.
  3. Phishing Attacks - involve the hacker tricking users into revealing their passwords through fraudulent means.  Attackers typically send deceptive emails, masquerade as legitimate organisations or create fake login pages to steal user credentials. To combat phishing attacks, individuals should be cautious while opening emails, double-check the authenticity of the websites and enable multi factor authentication to add an extra layer of protection.  View our article: A guide to multi-factor authentication.  Run a phishing campaign through our Knowledge Bank (which all our customers have access to).
  4. Keylogger Attacks - are malicious software of hardware devices designed to record a user's keystrokes, including passwords.  These captured keystrokes are then transmitted to the attacker for analysis.  To prevent keylogger attacks maintain up-to-date antivirus software, avoid downloading files from untrusted sources and use virtual keyboards when entering passwords on public computers.
  5. Rainbow Table Attacks - attackers use precomputed tables containing a vast number of password hashes and their corresponding plain text passwords. by comparing the stolen password hashes with the entries in the table, they can rapidly discover the original passwords.  Implementing robust cryptographic techniques can effectively mitigate rainbow table attacks.
  6. Credential Stuffing - exploits the fact that many users reuse passwords across multiple platforms.  Attackers obtain username-password combinations from data breaches on other websites and systematically try them on other platforms.  To combat credential stuffing, users must adopt unique passwords for each service and utilise password managers to generate and store complex passwords securely.

Defences and Counter-Measures

  • Use a complex password and multi factor authentication
  • Lock accounts after a number of successful attempts
  • Check your physical hardware
  • Run a virus scan
  • Monitor your account compromises. Use to check whether your email address is connected to any recent leaks and so vulnerable.
  • Enable encryption on your router
  • Use a VPN

Use our Password Checklist to see how robust your password policies and procedures are.

Further guidance from the NCSC about passwords: Password Policy: updating your approach.

Visit our Password Best Practice Library for help and guidance.

Read our article about passwords: Passwords - simplifying the approach.

ICO Password guidance: Passwords in online services.

What to do in the event of a cyber attack?

Tell someone!  Report to IT. Report to SLT. 

Unplug the computer from the internet by removing the ethernet cable or turning the Wi-Fi off.

If you are a victim of a ransomware attack we would recommend reporting this to Action Fraud: as well as your data protection officer so they can advise about the data loss.  Most cyber crimes like these will also need to be reported to the ICO by your data protection officer.

Isolate the infected device and pass to IT 

Always ensure there are backups you can restore from.

Little Guide to ACTION FRAUD