In brief: Today's cybercriminals use a slew of methods to compromise systems, but the most tried-and-tested way is still a favorite: stealing someone's password. According to a new report, there are almost 1,000 password-based attacks every second, marking a 74% increase compared to last year.
The data comes from Microsoft's Digital Defense Report 2022 (via ZDNet), which analyzed trillions of signals from the Redmond company's global ecosystem of products and services to reveal the scale of cyberthreats worldwide.
The number of hacking incidents has jumped enormously over the last year, thanks primarily to Russia's invasion of Ukraine in February and the resulting cyberwarfare between nations. But hackers still favor password-based attacks; Microsoft estimates that 921 of these take place every minute.
Brute forcing a password remains a common method of accessing a system. The arrival of Nvidia's RTX 4090 cards has made these sorts of attacks more efficient (in specific scenarios). Researchers recently showed how the Lovelace flagship could cycle through all 200 billion iterations of an eight-character password in just 48 minutes.
First @hashcat benchmarks on the new @nvidia RTX 4090! Coming in at an insane >2x uplift over the 3090 for nearly every algorithm. Easily capable of setting records: 300GH/s NTLM and 200kh/s bcrypt w/ OC! Thanks to blazer for the run. Full benchmarks here: https://t.co/Bftucib7P9 pic.twitter.com/KHV5yCUkV4— Chick3nman " (@Chick3nman512) October 14, 2022
Passwords leaked online following massive data breaches are a prime harvesting ground for hackers, thanks to many people recycling account credentials across multiple sites and services. The massive LinkedIn breach from 2012 is believed to have enabled hackers to access Mark Zuckerberg's Twitter and Pinterest accounts in 2016.
Phishing attacks looking to steal passwords are still rife. Recently, criminals have been trying to take advantage of Twitter's verification revamp by phishing for verified accounts' passwords, and even Steam users are being targeted. This increase is partly why Microsoft included enhanced phishing protection in the Windows 11 22H2 update.
Microsoft writes that 90% of hacked accounts aren't protected by "strong authentication," which refers to a single layer of protection being used and doesn't include multi-factor authentication (MFA). The Windows maker warns that the number of accounts using MFA is low, even among administrator accounts, though these extra layers of protection don't guarantee an account will be 100% secure.
In addition to using MFA wherever it is available, the usual recommendations apply if you want to make life hard for hackers: avoid reusing passwords (consider a good password manager), keep your software up to date with the latest patches, and avoid the terrible passwords that remain inexplicably popular.