Types of cyber attacks: password attacks

11.07.2016 |

Episode #4 of the course Cyber security for small business by Cat Paterson


This is exactly what it sounds like—an attack on your or your employees’ passwords to gain wider access to your system(s).

These types of attacks are usually classed as brute force attacks; the attacker uses a piece of software that will continually try random passwords in a trial and error approach to crack your code and break into your system.

Brute force attacks are common on websites, where attackers attempt to gain access to the back-end of the site in order to delete files, inflict damage to files, redirect your website to another destination, or use it as a robot for a wider campaign or attack.

If an attacker gains entry due to weak passwords, even if you don’t hold customer or client data on your site, they can do untold reputational damage. More than once, I’ve tried to access a site only to find a porn site in its place.

Even if you regain control of your site and domain name, do you think potential customers who experienced the redirect will come back to your site? The impact and cost of changing your brand, domain names, and fixing your reputation are essentially priceless.

Can you afford not to be proactive in protecting your digital world?


Protect yourself and your business:

1. Create strong passwords
Avoid the use of passwords that use actual dictionary words or only lowercase letters. These types of passwords are just making it easy for attackers to mount a brute force attack.

2. Replace passwords regularly
Regularly switching and changing passwords is good practice to ensure a higher level of security for your digital world. I know it is so difficult to remember every single password for every single program or app that you access, but what is the cost of not putting this practice in place?

3. Use a password manager
A good way to avoid having to remember hundreds of passwords (and avoid the temptation to reuse the same easy passwords) is to use a password manager There are loads to choose from. My personal favorite is LastPass. You are only required to remember one master password, and it locks all your passwords for every site you log into deep in its secure vaults. You can run security checks from time to time to check for weaknesses and vulnerabilities and schedule password changes that it remembers for you. It can also be used across multiple sites.

4. Beware of disgruntled employees
Ensure you have a practice in place to remove access rights and passwords from any employees leaving your employment. I’ve seen many disgruntled employees change all the passwords to a business’ social media accounts and then continue to post under the name of the organization. As I’m sure you can imagine, carnage! Again, a password manager can assist you with this in a small business where you can automatically remove a person’s access rights when you need to.


In the next lesson, we are going to look at “denial of service” attacks.


Recommended book

“Blue Team Handbook: Incident Response Edition: A condensed field guide for the Cyber Security Incident Responder” by Don Murdoch GSE


Share with friends