Credential cracking is a cyber security threat that involves identifying valid login credentials by trying different values for user names and/or passwords. In this type of incident, a bad actor such as a cyber criminal will use brute force, dictionary (word list), and guessing attacks against authentication processes of an application to identify valid account credentials, according to the Automated Threat Handbook for Web Applications published by the Open Web Application Security Project (OWASP).
This type of activity might involve the use of common user names or passwords, or initial user name evaluation. Hackers aim these attacks—also known as brute-force attacks against sign-in, brute-force password cracking, cracking login credentials, password brute-forcing, password cracking and username cracking—at users in industries including education, financial services, government, healthcare, retail and technology, according to OWASP.
The organization, a worldwide not-for-profit group focused on improving the security of software, says data commonly misused in such incidents includes authentication credentials, payment cardholder and other financial data, medical and other personal data, intellectual property and other business data and public information. Once a credential cracking campaign is successful, attackers can block access to the original account owner. But the problem doesn’t end there; malicious users with hijacked credentials will continue on to other areas on the web, attempting to reuse the validated credentials log in to virtually any other type of accounts.
Possible symptoms of credential cracking include a relatively high number of failed login attempts; many requests containing variations on account names and/or passwords; an elevated account lock rate; and increased customer complaints about account hijacking through the help center or social media outlets.
But keep in mind, while credential cracking is the most common name of this automated threat type, it can be referred to as wide variety of other names and revealed in other approaches. For example, the term “web cracking,” although having a slightly broader nickname, exploits the same credential vulnerabilities and operates with equally malicious intent.
“Account cracking” is another common synonym of credential cracking, but emphasizes the threat on authentication credentials of web sites, web apps, and other online infrastructure. Other names related to credential cracking include brute-force attacks against sign-in, brute forcing log-in credentials, brute-force password cracking, cracking login credentials, password brute-forcing, password cracking, reverse brute force attack, username cracking, and username enumeration.
OWASP suggests several countermeasures to address the threat of credential cracking. One is to define test cases for credential cracking that confirms an application will detect and/or prevent users from attempting to guess user names and passwords.
Companies might also consider randomizing the content and URLs of authentication form pages, tying these changes to an individual user’s session, verifying the changes at each authentication step and restricting any identified automated usage. This practice limits the potential for automated attacks, since each route to access an account changes before a malicious user can fully run through their scripted attack.
Other good practices are to identify and restrict automated usage by fingerprinting before a credential cracking attack can occur, and identifying and restricting automated usage by reputation methods. In particular, organizations should consider using geolocation and/or IP address block lists to prevent access to authentication functions.
In addition, IT security and security management should discourage or ban users from selecting either common or weak passwords, as these are simply low-hanging fruit that require considerably less amounts of time and effort for credential crackers. Furthermore, it is recommended for companies to perform incremental account lock out to accounts with suspected login attempts.
Companies should also consider enhancing authentication by adding CAPTCHA, adding application-specific challenge questions, or using strong authentication such as two factor authentication. Finally, organizations should consider even stricter security measures for users having higher or more sensitive permissions, such as system administrators, moderators, internal staff, etc.
These methods provide a strong start to building and bolstering a more robust defense against the many types of credential cracking.