Phishable: Password
What are passwords?
Passwords are secret character sequences or phrases that are used to authenticate and verify the identity of a user, allowing them to access a computer system, application, or digital resource.
Why are they phishable?
We all know why passwords are bad, but the one crucial factor that we would like to call out is that they are shared.
Passwords are shared between the user, the system they are authenticating into, and everything that connects the two (proxies, networks, etc.) This in turn creates a very large surface area for an adversary to attack, and password reuse only magnifies that surface.
Common attacks on passwords
- Brute Force / Dictionary Attacks / Credential Stuffing: all these attacks involved systematically trying out different combinations, and then reusing credentials in different systems when successfully exploited.
- AitM (Adversary-in-the-Middle): a convincingly fake login phishing website created by an adversary can capture credentials. Check out some of our AitM exploits here.
- Password Reset Attacks: these attacks exploit the password reset mechanism. Common methods include social engineering to impersonate a customer success representative, SIM swapping, and also phishing.
What should you do if your organization uses passwords?
If your organization currently relies on passwords for authentication, we recommend the following steps for improvement:
1. Implement multi-factor authentication (MFA) wherever possible to add an extra layer of security.
2. Implement phish-resistant MFA, such as Beyond Identity, for hardened security.
If you want to see what other steps you can take to improve your overall security, check out our zero trust assessment for a full analysis on your authentication and device management practices.