Threat actors are constantly changing tactics to bypass cybersecurity measures, developing innovative methods to steal user credentials. Hybrid password attacks combine multiple cracking techniques to increase their effectiveness. These combined approaches take advantage of the strengths of different methods, speeding up the process of cracking passwords.
In this post, we’ll explore hybrid attacks—what they are and the most common types. We’ll also discuss how your organization can protect itself against them.
A mixed approach of hybrid attacks
Threat actors are always looking for better, more successful ways to crack passwords – and hybrid attacks allow them to combine two different cracking techniques into one attack. By integrating attack methodologies, they can take advantage of the advantages associated with each method, increasing their chances of success.
And hybrid attacks aren’t limited to just cracking passwords. Cybercriminals regularly combine technical cyberattacks with other tactics, such as social engineering. By approaching the target from different angles, hackers create a complex threat that is more difficult to defend against.
Common types of password attacks
In a hybrid password attack, hackers typically combine two different techniques: brute force and dictionary attacks. By combining a quick iteration of a brute force attack with a list of the most commonly used passwords, hackers can quickly try many credential combinations.
Brute force attack
Think about a brute force attack like a hacker placing a battering ram against your organization’s front door, pounding them repeatedly until they enter. In these persistent obvious attacks, cybercriminals use software to repeatedly try every possible combination of characters until they get the correct decryption key or password. A brute-force attack is particularly effective in situations where the user’s password is shorter or less complex—and attackers use common base terms found in dictionary lists to give themselves a head start.
Dictionary attack
Remembering passwords can be difficult, so many of us use the same password on different sites or rely on simple password creation standards (like starting with an uppercase letter and ending with a number) to make it easier. But hackers take advantage of this by using dictionary attacks to speed up the password-guessing process.
In a dictionary attack, a cybercriminal uses a list of likely passwords, including commonly used passwords (Password123), common phrases (iloveyou), or a keyboard (ASDFG) to increase their chances.
Masked attack
One type of brute force attack is a mask attackwhere the hacker knows the organization’s password generation requirements and can direct their guesses to passwords that meet those requirements. For example, a hacker may know that an organization requires user passwords to begin with an uppercase letter, contain eight characters, and end with a number, allowing for better attack parameters. The reality is that if a hacker has any knowledge of password creation, their hybrid attack can happen much faster.
Protection against hybrid password attacks
Hybrid password attacks work so well because they use multiple techniques to simultaneously target weaknesses in business password policies. To build a strong defense against hybrid attacks, your organization must develop strategies to eliminate weak or compromised passwords, and then create stronger password policies to help you stay secure in the future. Hackers take a multi-layered approach to their attacks, and your organization must similarly expand its security defenses. Specific strategies include:
Implement multi-factor authentication (MFA)
One of the best ways to slow down (or prevent) a hack is with multi-factor authentication, which requires users to authenticate with more than just a password. With MFA, you can stop a hacker from accessing it even if they successfully crack the password. For now no strategy (including MFA) can guarantee 100% securityImplementing MFA is an important step in your password security strategy.
Require longer passwords
Hackers love easy targets – and the longer the password, the longer it will take for hackers to perform brute force attacks. The reality is that at a certain length it becomes computationally inconvenient for hackers to successfully execute brute force attacks. Encourage users to create passphrases of 20 characters or more — for example, a combination of three random words like “shoes-doorknob-caterpillar”. This can effectively reduce the risk of a brute force attack.
Prevent weak passwords and password patterns
As we’ve discussed, many hackers rely on passwords that contain frequently used words or patterns to make them faster and easier to crack. So it stands to reason that if you can prevent users from using these words or patterns, you’ll be taking steps to keep your organization safe.
Audit of cracked passwords
Keeping users from creating weak passwords with a strong password policy is a great strategy, but it can be overcome if passwords are compromised during a phishing attack or hack. That’s why it’s so important to also take advantage of tools that can scan your Active Directory for compromised passwords.
for example Specops Password Auditor is a free, read-only tool that detects compromised Active Directory passwords. By scanning your users’ passwords against a constantly updated list of over 1 billion unique password combinations, you can quickly identify which accounts are at risk and take immediate action to protect them. Download for free here.
Stronger password policies to protect against hybrid threats
Hybrid threats take advantage of multiple attack methods—and defending against them requires a multi-layered approach. Consider using a tool like Specops Password Policy to enforce your password policy, continuously search and block more than 4 billion known cracked passwords and will guide users to create strong passwords or passphrases.
Implementing a Specops password policy can significantly strengthen your defenses against hybrid security attacks. Here’s why:
Layered defenses: Hybrid attacks often combine multiple tactics, such as phishing and brute force. A strong password policy adds an extra layer of protection, making it more difficult for attackers to succeed even if they have gained initial access.
Length: Encourage the use of longer passwords, even as passphrases. This makes passwords much harder to crack, even with the sophisticated brute force tools often used in hybrid attacks.
Password hack protection: You can scan and prevent the use of passwords that have been exposed in previous data breaches and malware attacks. This is important because attackers often use credential stuffing techniques with password leaks in hybrid attacks.
Compliance: Many industries have regulations requiring strong passwords. By using the Specops password policy, you can ensure you are compliant, saving yourself from fines and reputational damage.
The stronger your users’ passwords are, the less likely they are to fall victim to hybrid attacks. With Specops tools, you can take a hybrid approach to security, keeping your data and systems safe.
Ready to improve your security against hybrid threats? Sign up for a free trial Specops Password Policy today.
