Security & Compliance

Password Hacking: How Passwords are Breached

“Your application has been hacked” is probably one of the last lines a SaaS executive wants to hear today. CISOs and security teams also know this. Unfortunately, poor authentication and authorization implementation is still common across multiple platforms, leaving hackers with a big(ger) attack surface to exploit. Let’s learn more about password hacking and how to ensure secure SaaS authentication standards with proper user management. 

Password authentication is basically a process where the end user inputs a unique ID and key to try and access the application or website. The provided info is verified against previously recorded and stored credentials that are stored in dedicated servers, which can be on-prem or in the cloud. But more often than not, passwords get recycled or are not strong enough. This is exactly what hackers are looking for.

It doesn’t really matter if you have enabled SSO authentication, MFA authentication, or other methodologies. Once your defenses have been penetrated, you’re looking at a large-scale breach with many business, legal, and regulatory implications. Read on to learn more to understand the dangers you are facing and why SSO implementation and other moves have to be made with careful planning today. 

Top 5 Password Breach Techniques

Cybercrime is evolving and so are the techniques used to harvest passwords. In no specific order, here are 5 popular methodologies implemented by the bad guys.

  1. Phishing – This growing hacking technique exploits the weakest link in the ecosystem – human beings. This social engineering methodology basically manipulates end-users or company employees into providing their personal and payment information by sending them malicious requests that are masked as legit website links via emails, text messages, and online ads.
Phishing attack example.
Courtesy: Malwarebytes Labs
  1. Credential Stuffing – Another popular password hacking technique is credential stuffing, also known in cybersecurity circles as list cleaning – the process of automated testing of stolen credentials against usernames, passwords, and other info.. Security researchers believe that millions of user accounts are checked out by hackers using this technique on a daily basis.
  2. Keylogging – Although not common like the aforementioned techniques due to the complexity involved, this kind of exploit can allow hackers to gain access to your personal information by contaminating your machine or network. How is it performed? With targeted and well-crafted attacks that are followed by the installation of the actual keylogging malware.
  3. Password Spraying – How many times have you used your nickname or spouse’s name as a password? This phenomenon is more common than you think and the hackers are aware of it. They run commonly used passwords and number combos (111111, 123456, etc.) against user accounts until they hit the jackpot. More than 15% of password exploits are executed like this.
  4. Brute Force – The likelihood of falling prey to this kind of attack is the lowest in this list, but brute force is still used by many hackers and criminal organizations. As the name suggests, tools like “DaveGrohl” and “Aircrack-ng” are used to try and crack passwords with “dictionary attacks”, while there are also hackers who access the hash of plain-text passwords.
Password hacking techniques.
Courtesy: CTM360

Hackers are also exploiting other loopholes like network vulnerabilities, where they use network sniffers and analyzers to intercept data packets containing passwords.

Related: Authentication Standoff: OAuth2 vs OIDC vs SAML

Password Breach Incidents are Escalating

Stolen passwords can unlock your database or expose sensitive business data when not managed properly. 61% of data breaches are initiated via leveraged credentials.

Twitter experienced a disastrous password exploit in May 2018, which impacted more than 300 million users. The culprit was the unencrypted and unsecured storage of passwords in an internal log, making them accessible and visible to all internal users. Twitter still claims that there was no indication of a breach, but this still doesn’t change the fact that so much information was exposed for months.

A year later, a similar incident happened with Facebook, with more than 500 million users potentially impacted. The primary exploit was related to Mexican media company Cultura Colectiva’s Facebook datasets, which were simply found to be  exposed to hackers and malicious bodies. Another weak-link was “At the Pool”, a third-party app, which also leaked thousands of passwords and personal profiles.

Here are some best practices you must adopt to start creating a safer ecosystem:

  • Communicate issues and risks with your active users
  • Clean and delete inactive user accounts on an ongoing basis
  • Update your third-party software and apply all available patches
  • Watch out for breaches and inform your users about new exploits
  • Create a proper incident response plan to minimize collateral damage
Always communicate password exploits to your users.

Unfortunately, even these security measures and best practices won’t get you far if you are not implementing a comprehensive end-to-end password authentication and user management solution that stores data securely. With organizations scaling up (and down) unexpectedly, only a dynamic and flexible solution can help you steer clear of malicious activity and achieve true data privacy compliance.

Authentication is the Gateway to Your Application

With the rapid digitalization induced by COVID-19 and the emergence of Product-Led Growth (PLG), you need to enhance your user management capabilities to elevate user satisfaction and as explained in this article – constantly improve security standards. Your end-to-end user management solution should ideally be multi-tenant by design and enable smooth scaling up capabilities.

There are many open-source (OS) solutions available today, with Keycloak, Ory-Kratos, Flask-base, and UserFrosting being the most popular ones.

These OS user management solutions give you the ability to enjoy the benefits of having ongoing community support and enhanced visibility, but they are also a double-edged sword because they can be tricky to deploy, integrate, and scale. Furthermore, lack of ongoing security updates in OS tools mean that you are unknowingly creating security and compliance blind spots in your application.

One look at the OWASP Top-10 is enough to understand the risks apps are facing and this includes improper authentication. Having an end-to-end user management solution with secure role based authorization and a granular security policy, all via a centralised dashboard for maximum visibility, automated reporting/alerting, and real-time user activity insights, is the best way to stay secure today. 

The time to protect your SaaS infrastructure and elevate your performance is now.