Attacks
Password attack
What is a password attack?
A password attack is an attempt to sign in to an account using a password that has been guessed, stolen or leaked elsewhere. The targets are mainly the services reachable from the internet, such as webmail, remote maintenance, VPN access and cloud applications.
The forms differ in method. A brute force attack has a program try very large numbers of character combinations. A dictionary attack uses known passwords and names. In credential stuffing, criminals take credentials captured in another provider's data breach and try them against your systems, which succeeds as soon as a password has been reused. In password spraying, one very common password is tried against many accounts at once, which slips past the lockout that follows several failed attempts on a single account.
The services exposed to the outside are hit first. That includes the VPN, an encrypted connection through which staff reach the company network while away from the office. Inside a business the attack leaves recurring traces. Login logs fill with failed attempts, accounts are locked out in the morning, sign-ins appear from countries with no connection to your work, or confirmation prompts from the two-factor app arrive although nobody is signing in. That last point is a clear alarm: the attacker already holds the password and is waiting for someone to approve the prompt out of convenience. Such prompts are to be denied and the password changed at once.
The sensible first step is two-factor authentication on every service reachable from outside, meaning a second proof of identity in addition to the password, because it renders a stolen password largely worthless. Password hygiene follows: a separate long password for each service, held in a password manager so that nobody has to memorise anything. Factory default passwords on routers, network storage, cameras and printers are changed. Accounts of people who have left the company are disabled, because they otherwise keep running unwatched.
Watch the sign-ins. In common cloud services, logging can be switched on and alerts for unusual sign-ins enabled. The IT Check establishes which services are reachable from the internet, whether a second factor is required there, whether default passwords are still in place and whether old accounts remain active.
Reviewing accounts and two-factor protection in the IT Check
All terms in the knowledge base
Note: This entry reflects the state of knowledge to the best of our understanding and serves as general orientation. It is not legal advice. What counts is always the version currently in force at the responsible body, for example dsb.gv.at, nis.gv.at or enisa.europa.eu.
From the term to practice
Where does your business actually stand?
The IT Check reviews your IT across 8 audit areas with more than 100 individual checks and delivers documented findings with a prioritised action plan. From 1,299 € excl. VAT. The first call takes 20 minutes and carries no charge.