How Auth Attacks Work (and How to Protect Against Them)

In this video from our Workforce Security Awareness training, CBT Nuggets trainer Keith Barker describes how to find out where your email address was compromised and when. 

With every data breach or hack, millions of username and password combinations spill onto the internet. At latest count, there are more than five billion compromised accounts listed on Have I Been Pwned.

Interestingly, these credentials are likely worthless on the site where they were stolen. When a breach happens, companies reset passwords and alert their users. However, most people use the same password for multiple sites. It's the job of an auth (or authentication) attack to find out whether you used a breached password multiple times — and where.

What is an auth attack?

An auth attack occurs when malicious actors use a computer program to validate a list of usernames and passwords against a website login.

They acquire lists of stolen username and password combinations and test the passwords by attempting to log into websites. Unlike a brute force attack where hackers attempt many passwords for a single username, auth attacks typically only try a username and password on a website once.

The malicious actors are trying to determine if you re-use that compromised password regularly. If you do, they can repackage that data and sell it to another malicious actor, or use it themselves and compromise other accounts.

For instance, your Adobe account information might have been compromised back in 2013. Adobe was quick to reset your password, so an attacker can't get into that account. But, the attacker still has one of your passwords. If you used the same password on your LinkedIn account, then the attacker now has access to your LinkedIn account.

But here's the thing about auth attacks. Auth attack scripts don't grab data, steal money, or change settings. When the computer program finds a password that works, it immediately logs out. Its only job is to find out whether a password is active. Once it finds that out, the job is done.

If you're thinking, "So, what." The attacker is likely trying your credentials on lots of other websites. If the program finds that you used the same password for Netflix, LinkedIn, and Facebook, then there's a good chance you also used that password elsewhere — like your bank or retail accounts.

Are auth attacks dangerous?

Yes. They're just as dangerous as any other type of cyberattack. Despite the fact that auth attacks enter and exit accounts immediately, they're designed to steal the most important piece of data — your password.

How do you defend against auth attacks?

Luckily, auth attacks are easy to defend against. You can foil even the most sophisticated auth attack in three ways:

Find out if your passwords have been compromised. In our Workforce Security Training, CBT Nuggets trainer Keith Barker describes how to use Have I Been Pwned to check whether your email address is out in the wild.

Use a different password for every website. With so many logins, it's easy to get lazy with password diversity. A recent Mashable survey found that 87 percent of people used the same password for multiple sites. However, doing so leaves you vulnerable to auth attacks.

Use two-factor authentication. Many online services now offer (or even require) two-factor authentication (2FA). With 2FA, you'll be required to enter a number from an authenticator app, text message, or even phone call when you log into your account. Your most important accounts should be protected with 2FA.

How to improve your overall online security

Attackers are opportunistic. With all the glut of breached data floating around the internet, malicious actors aren't spending too much time to attack any one account. To use an analogy, they aren't trying to break into a car and hotwire it. They'll be looking for the one with its engine running and the keys in the ignition.

By following basic password security protocols, you'll keep attackers out and keep your personal data safe.