Microsoft
Everything You Need to Know About Password Attacks and Prevention
August 3, 2020 | 3 min read
BlueVoyant
Password attacks can be done ethically or criminally. An ethical hacker is usually someone employed by a company to test the security of various account passwords, to lessen the probability of being hacked. On the other hand, a cyber-criminal performs a password attack to gain entry into systems for monetary or other incentives.
Different Types of Password Attacks and How They Work
Password attacks can be split into four different types: non-electronic accounts, active online attacks, passive online attacks, and offline attacks.
Non-Electronic Accounts
This is a non-technical attack that can be done without a great deal of technical knowledge.
- Shoulder Surfing: Literally looking over someone’s shoulder as they type in a username and password and using it later.
- Social Engineering: Phishing emails or texts that are sent to users to fool them into clicking on a link that installs malware. These attacks can be as simple as looking at a user’s social media accounts. Passwords are usually generated by using a user’s birthday or pets name- all the things readily available on your Facebook profile. By collecting as much information about the user as possible, a hacker can guess at random password possibilities.
Active Online Attack
- Brute Force: The most common form of attack and the easiest. A program generates likely passwords, starting with weak, easy to guess passwords and trying variations of numbers and letters. This method goes slowly, as hackers move methodically from account to account, giving timers on lockout detection tools time to reset. Credential stuffing and password spraying fall under this category.
- Credential Stuffing: Cyber-criminals use lists of stolen usernames and passwords in combination on different accounts until they have a match. This falls back on the fact that users tend to use the same password on multiple accounts.
- Password Spraying: Tries many accounts at once with a few commonly used passwords. This method is dangerous on single sign-on or cloud-based authentication portals.
- Dictionary Attack: Takes advantage of the fact that people tend to use common words and short passwords. Using a list of common words with numbers before or after, or using a program to cycle through common combinations, the hacker tries to gain access to accounts.
- Keylogger/Trojan/Spyware: Are viruses or malware that run in the background to track passwords and keystrokes made. The hacker can detect usernames, passwords and which websites each one was used on. This usually relies on the user to fall for another attack that installs the software, for example a phishing download.
- Hash Injection: Works by injecting a compromised hash into a local session, the attacker can gather the domain admin account hash. This retrieved hash can be used to log on to other systems.
Passive Online Attacks
- Wire-sniffing/Traffic Interception: Where the hacker uses software, such as packet sniffers, to monitor network traffic and capture passwords. The software ‘listens in’ on the information. Encryption can help, but as information is decryptable this is not a fail-safe.
- Man-in-the-Middle: Similar to wire-sniffing, the hacker’s program monitors information going through. In this method though, the software is inserted into the middle of the traffic, normally impersonating a site or app.
Offline Attacks
- Rainbow Table: Is a complicated, strong security method. Hashing involves a type of encryption of data mathematically, by converting passwords into cryptic characters. A rainbow table compiles a list of pre-computed hashes and runs algorithms through to crack the password. This is time-consuming for the attacker and leaves the victim less vulnerable.
- Distributed Network Attack: Uses the power of machines across a network to recover passwords from hashes.
How to Prevent a Password Attack
- Use a Random Character Password Generator that creates and stores encrypted passwords
- Schedule and rotate passwords often
- Use hard to guess passwords with different cased characters, numbers, symbols or unique phrases
- Don’t use common words, like “admin” or “password”
- Avoid using the name of the site in your password
- Use single sign-on or multi-factor authentication wherever possible
- Use biometric authentication where possible, like fingerprint authentication makes it much harder to be impersonated
As the saying goes, using a combination of upper- and lower-case letters, numbers, symbols (and a retina scan, jk), might not protect you completely, but it goes a long way in deterring hackers.
Related Reading
Managed Detection and Response
Better Together: The Benefits of Combining MXDR and TPRM
September 24, 2024 | 3 min read
Digital Risk Protection
From Zelle to Your Wallet: The Mechanics of Third-Party Phishing
September 12, 2024 | 3 min read