Microsoft: passwords, an always tempting target for attackers

There would be nearly a thousand password cracking attempts every second. And attackers are more determined than ever, with the number of such attacks on the rise. These are figures that come from Microsoft’s Digital Defense Report 2022, a summary of the analysis of billions of alerts and signals collected in the Redmond giant’s ecosystem of products and services.

Sharply increasing

According to this report, account passwords remain the main target of hackers. Microsoft estimates that the volume of password attacks is around 921 attempts per second, which represents a 74% increase in one year.

To crack a password, attackers use brute force to crack simple, common passwords – a list of passwords will be tested on the fly. They will also use credential stuffing, a technique that tests previously leaked usernames and passwords on new platforms. Finally, malicious hackers will rely on phishing to deceive their victims and thus recover their identifiers.

Not enough strong authentication

Microsoft notes that 90% of hacked accounts are not protected by strong authentication, which would have required additional verification. Also according to the publisher, the number of accounts protected by multi-factor authentication remains low, even for administrator accounts, with less than one in three accounts protected by an additional layer of authentication.

Many critical accounts are thus vulnerable to attackers. Stealing a password then enables other malicious activities, like stealing sensitive data, deploying malware, ransomware attacks, etc.

“Many cyberattacks are successful simply because basic hygiene has not been followed,” Microsoft said. The company urges organizations and users to enforce minimum standards to help protect accounts. This basic digital hygiene would protect against 98% of attacks.

Basic digital hygiene

It is therefore recommended to protect accounts with multi-factor authentication, even if this method is not infallible. It is also recommended to apply “Zero trust”, this information security model which denies access to applications and data by default. This makes full access to systems more difficult, even when an attacker has already compromised an account.

Software, applications and operating systems must also be kept up to date with the latest security patches to prevent attackers from exploiting known vulnerabilities to gain access to networks.

And if you suspect your password has been hacked, you should change it immediately. You can use a password manager to ensure that each of your accounts is secured with a strong and unique password.

Source: “ZDNet.com”



Leave a Comment