6 ways passwords can be stolen

According to the 2023 Data Breach Investigations Report Verizon, 86 percent of all breaches in the report were due to stolen, weak or outdated passwords. In 74 percent of these breaches, human error is also an important aspect, for example, social engineering attacks.

Attack methods

In general, attackers have a whole range of approaches to compromising passwords at their disposal, ForgeRock writes. Some of these have existed for years, but the use of generative AI in particular has encouraged the development of new attack methods:

• Social engineering and phishing: Social engineering and phishing approaches work by tricking users into volunteering their passwords through fake emails, websites, text messages, or phone calls. Distinguishing these fake messages from legitimate ones is becoming increasingly difficult. For example, attackers pose to a company's employees as its executives to convince them to follow the instructions in the fake messages without much questioning and, for example, to disclose intellectual property and other confidential company data.
• Brute Force Attacks: In a brute force attack, attackers systematically test all possible password variants until they find the right one. With tools and software applications available today, including those that use generative AI, skilled attackers can test billions of variants and combinations in a short time - particularly weak passwords are cracked so quickly.
• Credential Stuffing Attacks: In this approach, attackers rely on users reusing their passwords for multiple accounts. This means that attackers can use stolen credentials to gain access to many different accounts.
• MFA prompt bombing (bombarding the user with requests): Not even multi-factor authentication (MFA) is a perfect security guarantor against attacks. In one of the most sophisticated attack methods of recent years, also based on the social engineering principle, attackers send a glut of fake MFA push notifications to endpoints until an inattentive user confirms one of them, thus granting the attacker access.
• Malware: There are several types of malware specifically designed to steal login credentials as well as other confidential information. One such variant is keyloggers (or "keyboard spies"), which allow an attacker to record keystrokes on an endpoint device to replicate a password entry. Other variants can, for example, monitor clipboards and memory for sensitive information and send it to the attacker. Another option is credential harvesters, which are installed directly on websites or in applications, where they record the login process and the data required for it.
• Generative AI: Attackers are also increasingly using generative AI to automatically crack passwords and develop new malware even faster and more efficiently. This makes it possible to carry out even more sophisticated and targeted phishing attacks that look far more convincing than ever before. In addition, generative AI can be used to create so-called "deep fakes" that, for example, combine previously stolen real-world data such as tax or Social Security numbers with fake personal information to create an entirely new fictitious identity. These fake identities can then be used, for example, to apply for loans or credit cards, open accounts, or apply for social security or medical care.

Passwordless solutions are the future

There are several approaches to making password theft more difficult, but the only way to prevent it completely is to eliminate passwords, according to ForgeRock. Passwordless authentication not only minimizes attack risks based on the use of credentials, but also increases employee productivity and customer satisfaction by simplifying access to systems and services. The result: a more secure enterprise with happier users and less time and cost spent on support.

For more info on passwordless authentication.