#Password Security

How To Check And Avoid Password Attacks

  1. By Devanand Premkumar
  2. No Comments

03 Mar

Password-attack

The internet is a scary place nowadays. While online passwords can help prevent our sensitive information from falling into the hands of criminals, they can also provide a potential weak-point that is vulnerable to password attacks. However, by avoiding using weak passwords and being aware of what a password attack looks like, there are many ways that you can take proactive steps to protect the information that you put out online.

What is a password attack?

A password attack occurs when an un-authenticated person tries to gain access to your account via your password. Attackers can be anybody: they can be a coworker that saw your email password written on a sticky note on your desk, or someone halfway across the globe who wants to empty your bank account. They can happen on any website where your account is protected by a password: anything from your Netflix account to your banking app could be a potential target for a password attack.

 

There are a variety of ways that a cyber-criminal can try to gain access to your sensitive information. Most will rely on human error, monitor your web browsing for potential weak spots, or attempt to force their way into your account by guessing your passwords. To keep yourself safe, it is vital to be informed on the various types of password attacks that hackers may employ against you.

Password attacks are of various types namely:

  1. Brute force Attacks
  2. Dictionary Attacks
  3. Rainbow Table Attacks
  4. Traffic Interception Attacks
  5. Man in the Middle Attacks
  6. Spidering Attacks
  7. Keylogger Attacks
  8. Social Engineering Attacks
  9. Denial of Service Attacks

Brute Force Attacks

When conducting a Brute Force Attack, a hacker will repeatedly try all kinds of passwords in order to try and gain access to your accounts.

It is the simplest form of password attack, and will try all combinations of numbers, letters, and special characters.

This is known as throttling authentication attempts, or trying many passwords until you get the right one.

However, conducting an outright Brute Force Attack can be difficult and risky on the hacker’s part. First, a Brute Force Attack requires the trial of millions of potential passwords which, with a normal processing system, could take thousands of years.

Professional hackers may circumvent this by obtaining massive computing systems that can try thousands of passwords per second, greatly reducing the time needed to try a massive number of passwords.

Second, this technique is easy to detect, as it results in a high volume of suspicious activity coming into a database. When hackers have to try thousands of passwords very quickly, the website is notified of a very high volume of failed log-in attempts that come very rapidly.

Then, the website can quickly respond by locking the account completely, which may result in both you and your potential hacker being denied access to your account.

Because Brute Force Attacks are so high risk, hackers have developed a wide range of Brute Force Attacks variations.

These types of password attacks are meant to allow hackers to try many passwords largely undetected by both the user and the database that they are trying to hack into.

Dictionary Attacks

Dictionary Attacks are a more refined version of Brute Force Attacks. Hackers will try all of the words in the dictionary that have a high potential for success. This type of attack also uses all of the characters that are commonly used as substitutions for letters, such as 3 for E.

This method canhelp prevent account lock-outs, as the number of attempts is greatly reduced.

 

These types of password attack are effective because many people tend to use common words or phrases when making passwords.

These words can include names, locations, years, common catchphrases, slang, and more.

Hackers conducting a Dictionary Attack will create a list of all the terms that are most likely to produce success, such as “love” and “admin”, and all of the variations of that word that exist in an attempt to force their way into your accounts.

Password Spraying

Password Spraying, much like Dictionary Attacks, will try to access and account by using common passwords.

By creating a list of commonly used passwords, such as “123456” or “Password”, Password Spraying is able to test the phrases that are most likely to be used by someone who uses generic passwords. This technique also prevents account lock-out by reducing the number of log-in attempts.

Although Password Spraying may sound nearly identical to a Dictionary Attack, the key difference between these types of password attacks lie in the way that common phrases are generated.

Dictionary Attacks rely on the literal dictionary, whereas Password Spraying relies on a word bank of commonly used password phrases that may not necessarily be found in the dictionary.

Rainbow table attack

A Rainbow Table Attack will try to gain access to an account by replicating your plaintext password’s hash. By using a rainbow hash table, hackers will try to crack the database’s hashing function in order to find a plaintext password that creates an identical hash to the correct plaintext password.

Rainbow hash tables are created by running a variety of plaintext passwords through the database’s hashing function (such as by creating fake accounts), recording the plaintext’s corresponding hash, and then using these hashes as a reference.

 

The password that you have to type in to get access to an account isn’t the actual “password” that the system is checking. Most databases put the password that you enter (known as plaintext) through a hashing function.

The plaintext is then converted to a  block of text based on the exact algorithm used in the hash. Common examples would include bcrypt, Argon2, scrypt, PBKDF2 etc

 

When you try to gain access to an account and type in a password, it is re-hashing whatever you type.

If the hash of your attempted password matches the hash of the actual password, then you will be granted access to the account. If you know the hash of you password and type that in instead of the plaintext password, due to the fact that it will then be passed through the hashing function a second time, access will not be granted.

 

Rainbow Table Attacks are obviously much more complicated than Dictionary Attacks and Password Spraying.

While this type of password attack may be able to crack much more uncommon passwords, it can’t handle passwords any longer than 10 characters, or ones that are made up of complete gibberish.

Websites take password attack prevention measures specifically to protect users from this type of password attack; if you’ve ever had to incorporate symbols and special characters into a password, this is why.

 

If any of the previously mentioned password attack examples succeed in producing a correct username-password combination, a hacker may then perform a subsequent Credential Stuffing Attack.

Many people use the same username and password across various databases, and this technique capitalizes on that fact.

A hacker using this technique will take a correct username and password combination and use it across a number of other databases in an attempt to gain access to multiple accounts.

 

Because the success rate for this type of password attack hovers somewhere around 1 in 100, Credential Stuffing is best performed when a hacker has a large volume of correct username-password combination.

Therefore, this is a type of password attack that usually does not target individuals, but instead will target the users of a specific database that has suffered a wide-scale security breach.

Traffic Interception Attacks

The second entry in the list on types of password attack is known as a Traffic Interception Attack.

These types of password attacks will monitor your web browsing activity in an attempt to deduce possible passwords.

By carefully watching what you do online, this technique will give a hacker a basis upon which to guess what your passwords might be.

 

Malware created specifically to conduct these types of password attacks will usually run in the background while you surf the web, functioning almost completely undetected.

They can be tricky to spot, and in many cases, a user may not even be aware of the fact that they are being targeted by a cyber-criminal.

This is what makes this type of password attack so dangerous; because they greatly narrow down the list of possible passwords and do not require a high volume of log-in attempts while also running almost completely undetected in the background, a user may have no idea that they are being targeted until it is too late.

 

However, in order for these types of password attacks to be successfully conducted, a hacker must first find a way to get malware onto your device.

This can be done in many ways: public Wi-Fi, through an attachment or link in a suspicious email, via an unfamiliar piece of hardware (such as a flash drive), or through an unsupported download on an unsecure website.

Without the malware, most of these types of password attacks are impossible to conduct.

Man in the Middle Attack

A Man in the Middle Attack is conducted using a software that acts as a “middle man” between your device and the website that you are trying toaccess.

Instead of sending information directly to a website like it is supposed to, this type of malware takes the information, interprets it, and then sends it forward to the correct website.

 

When a person is being targeted by a Man in the Middle Attack, a website that you visit may not be the real website.

Man in the Middle malware creates fake websites that impersonate a real website, leading you to falsely believe that you are on the correct page.

Trusting the fact that you are accessing a safe database, you may then input sensitive information which will then be immediately forwarded to cyber-criminals.

 

A traditional Man in the Middle Attack is usually conducted through unsupported public Wi-Fi. By gaining access to said network’s router, a hacker can scan transmitted data for weak passwords and other vulnerabilities.

This type of password attack may not necessarily require the injection of malware onto a device, as it could be conducted simply by connecting to the same un-secure network.

Spidering Attack

Spidering is used to monitor the websites that you visit in an attempt to find commonly used phrases.

This technique is commonly used to specifically target corporations and organizations, as employee’s passwords will oftentimes have something to do with the organization itself.

Once the hacker has a list of commonly used words and phrases, they will then use them to try to guess your passwords.

 

Spidering capitalizes on the fact that company-specific passwords for business-related accounts usually include words or phrases that have something to do with the company itself.

In some circumstances, a hacker using this type of password attack may visit company websites, social media pages, and other publicly-accessible company affiliated sites to create a word bank of potential words and phrases.

 

Spidering is a particularly dangerous type of password attack for accounts that have a company-issued username and password.

If you’ve ever been given an account by your place of employment and were then instructed to immediately change the password, the prevention against Spidering Attacks may be one of the reasons why.

Keylogger Attack

A Keylogger Attack is exactly what it sounds like; this type of software records what keys are being pressed on your device, including what you type when entering passwords.

While this can technically done via a hardware device that is manually inserted into your device, it is much easier to conduct undetected through downloaded malware.

 

This type of password attack is particularly dangerous because it can record exactly what your password is without requiring a number of repeated log-in attempts.

While keyloggers are oftentimes used completely legally by a corporation’s IT Department while attempting to identify and troubleshoot technical issues, this also means that keylogging software can be easily obtained by cyber-criminals.

Social Engineering Attacks

Social Engineering Attacks rely on human error instead of any weak spots in the database itself. By playing on emotions such as fear, empathy, curiosity, and urgency, Social Engineering Attacks will try to manipulate people into giving up sensitive information or download malicious malware.

 

Because this type of password attack is requires a much more one-on-one approach, it is usually used to target specific individuals.

Cyber-criminals using this method will try to get into your mind and manipulate you into acting on things that you are particularly vulnerable to, such as the promise of free money or a sick family member that needs money to help pay for hospital bills.

 

Social Engineering Attacks are often the first step in conducting the various other types of password attacks, as they are the ways in which hackers get you to download malware onto your device.

While some types of Social Engineering Attacks will outright ask you to send sensitive information or money, they can also be the initial sign of a far more sophisticated attack.

Phishing

Phishing is a type of Social Engineering Attack where hackers will send fake communications via email that appear to come from a legitimate source.

These emails will either attempt to prompt people into willingly giving up sensitive information, or will include attachments or links that contain malware. This technique usually targets a wide range of people without a specific target in mind.

 

Common phishing emails will usually look suspicious right off the bat.

If they aren’t immediately removed from your inbox by your email service’s spam filter, they will will usually have a number of characteristics that make them seem odd.

These characteristics can include:

 

  1. Time-sensitive information or a situation that requires your immediate attention
  2. Poor usage of the English language, usually bad grammar and incorrect spelling of words
  3. Inconsistent email addresses that supposedly come from the same source, if they have contacted you multiple times
  4. Strange attachments or links. Watch out for attachments that include .zip, .exe, and .scr, as they are often associated with malware
  5. Emails that request login information or other sensitive information
  6. Emails that promise things that just seem too good to be true, such as random free money or gifts

Spear Phishing

Spear Phishing is a more refined type of Phishing that targets specific individuals, organizations, and businesses. This approach is far more individually designed, and oftentimes accompanies a more sophisticated type of attack.

 

While regular Phishing can be easily avoided, Spear Phishing can be particularly threatening due to the fact that hackers will try to manipulate you using information that they were able to find about you online.

Hackers using this type of password attack may impersonate someone that you know, impersonate a legitimate organization, or may vaguely threaten you with negative consequences that can be particularly frightening for your particular situation.

For example, if you work for an IT Department, a Spear Phishing email may “alert” you to the fact that your network is unsecure, and may prompt you to click on a link in order to protect your network from potential attacks.

 

Spear Phishing accounts for 91% of all cyber-attacks, and are no laughing matter.

While they may initially appear to be something that can be easily avoided by anyone who knows not to be easily manipulated by strange emails, those of us who don’t know any better may be particularly vulnerable.

While cyber-criminals using Phishing and Spear Phishing tend to target companies and organizations, the elderly have found to also be a population that is particularly vulnerable to this type of online fraud.

Baiting Attacks

Baiting exploits people’s curiosity and greed. By promising people free gifts, items, rewards, or downloads, hackers attempt to bait people into trading sensitive information or downloading malware.

 

Baiting oftentimes appears as a pop-up on an unsecure website that claims that you’ve won something. Oftentimes, people will click on these pop-ups falsely believing that they will be rewarded with money, gifts, or downloads.

Usually, this types of password attack will promise new tech, gift cards, and free trials for paid services.

 

Baiting Attacks can also be conducted through physical hardware that you insert into your devices, such as games, movies, and flash drives.

You may be offered a free copy for exchange for some menial service, and the copy that you are given contains malware that will then be downloaded onto the device that you access it with.

Denial of Service Attacks

A Denial of Service Attack attempts to make a database or website completely unavailable to everyone, including authenticated individuals.

By flooding the website with data, hackers will attempt to “take the website down”, leaving it completely useless.

 

Account Lockouts are very similar to Denial of Service Attacks, although they target individuals instead of entire databases. A hacker will flood

your accounts with log-in attempts to purposely disable your account. Then, they will attempt to ransom off access for the exchange of sensitive information, money, or another form of monetary exchange.

 

Because this type of password attack has to target an entire database, it is usually employed against entire companies.

Most of the time, a cyber-criminal attempting to conduct a large-scale account lockout is looking to get a very high pay-out, making it one of the highest risk types of password attacks that can occur on the internet today.

What can happen if my password gets attacked?

There are a number of things that a hacker can do if they get a hold of your password.

Even if something as seemingly inconsequential as your social media accounts get hacked, it can have devastating consequences.

By hacking into your accounts, a cyber-criminal could potentially:

 

  1. Steal money from your bank account
  2. Deny you access to photos and videos
  3. Create fake social media posts in your name
  4. Delete entire accounts
  5. Impersonate you in order to attack other people
  6. Expose your personal information
  7. Gain access to your other accounts
  8. Make fraudulent purchases in your name

No hacks should be taken lightly. If for any reason you believe that your accounts have been hacked, you should immediately take measures to keep your sensitive information safe from cyber criminals.

Password Attack Prevention

Just like with anything else, password attack prevention is better than damage control.

By creating a strong password right from the very beginning, you can greatly reduce the chance of falling victim to a password attacks.

Some helpful tips to create a strong password include:

 

  1. Use a mixture of capital and lowercase letters, numbers, and special characters
  2. Purposely misspell words
  3. Use acronyms from a sentence or phrase
  4. Avoid using common slang or words from the dictionary
  5. Avoid replacing letters with commonly used characters, such as 3 for E
  6. Set your password as something uncommon that has no correlation to the database that it is linked to
  7. Never use generic passwords, such as “123456” or “password”
  8. Use different passwords for all of your accounts, and never use the same password for multiple accounts

Just because you have a strong password, however, doesn’t mean that your accounts are completely invulnerable to attack. In order to keep your passwords safe once they are set:

 

  1. Never share your passwords with anybody for any reason
  2. Never leave your passwords written down somewhere that someone could easily find them
  3. Enable two-factor authentication whenever possible
  4. Never save passwords for a website when prompted
  5. Only log on to websites from your private network, never from a public network
  6. Change your passwords regularly
  7. Know what a phishing email looks like
  8. Never open or interact with a phishing email
  9. Never plug unfamiliar devices into your computer
  10. Never download software unless you know exactly where it is coming from
  11. Install a trustworthy anti-virus and malware-removal program onto your computer
  12. Regularly scan your devices for viruses and malware
  13. If you have some extra money to spend, consider using an online password manager. Not only do these services generate and store very strong passwords, but they will also alert you if your accounts are exhibiting any suspicious activity.

What should I do if I think my password has been attacked?

It may not always be immediately obvious if your password has been stolen.

However, most of the time, you will receive direct communication from databases or services(E.g. XposedOrNot, HIBP etc) alerting you of a data breach.

If you receive such a notification, or have any other suspicion that your passwords have been compromised:

 

  1. Immediately change your password for that account
  2. If you use the same password for any other account, change that password right away as well
  3. If a hacker contacts you directly to try and blackmail you out of your information or money, don’t panic! Don’t respond, and definitely don’t give them anything. Keep screenshots of the messages and report the scam to organizations, such as the FBI Internet Crime Complaint website, that are specifically designed to identify and eliminate internet scams
  4. If the hack includes extremely sensitive information, such as your banking details, contact the the company immediately. Check your accounts for suspicious activity, check your credit report, and consider requesting a security freeze if you think that your financial assets are in immediate danger

The biggest rule is to stay calm and work quickly. The faster you can re-secure your accounts against unauthorized access, the less information that a hacker will be able to gain access to.

 

Unfortunately, the threat of password attacks comes hand-in-hand with life on the internet. However, with proper preventative measures and knowledge of current internet scams, you will be better equipped to protect your sensitive information from criminals that may want to use you for their own gain.

 
 
No Comments