What is a Password Attack?
In the beginning, you probably already understood from the name what these attacks are and what they are aimed at. It is resistance against someone or something. Password attacks that are aimed at damaging accounts. They are programmed to cheat the authentication process to get into the account. After that, the attackers who control these attacks spread their malicious software or steal confidential data from victims’ accounts.
Types of Password Attacks
In this article, we will look at several types of password attacks, their working principle, and their main purpose. Also, consider methods of warning against them.
- Dictionary Password Attacks
- Brute-Force Password Attacks
- Phishing Attacks
- Password Spraying Attack
- Traffic Interception
Dictionary Password Attacks
This is a crude kind of attack through which an attacker works. Because he’s here to pick the most common passwords and try them out for multiple accounts. Also, take into account the dictionaries of the most common passwords and use them. This list of passwords can include the names of your relatives, the names of the dogs, the number, and the year of your birth. What can I do to warn myself against this?
- Never write your passwords from the dictionary. This increases the level of a claim for you and gives more opportunities to the attacker.
- Lock your account after some number of attempts, it can be two or five attempts but no more.
- Use the password manager. With it, you can prevent dictionary attacks because it generates complex passwords.
Brute-Force Password Attacks
Attackers use many combinations of passwords and try to use them when entering victims’ accounts. This method is slightly outdated because it is time-consuming and long, but it is standard and one of the most common. There are several types of this attack. Consider the below:
- Simple brute force attacks. In this case, the attacker controls logic. To guess the user’s password, he calculates possible variants and combinations based on knowledge and user. It could be the names of the family, the names of the dogs, and the children’s birthdays.
- Credential stuffing. In this case, the attacker receives open passwords from vulnerable sites, through which the user has previously logged on to the system.
- Hybrid brute force attacks. This method involves simply selecting a weak password with automated software that uses account substitution to reveal complex passwords. Organizations use a small number of variants in most derivative systems. Attackers also use user data templates to populate credential tools more accurately.
- Reverse brute force attacks. This method involves searching for shared passwords in the system. The attacker tries to find a common group where shared passwords are written and tries to log into accounts through these passwords.
Phishing1 is aimed at stealing sensitive data through fraud. Through emails, the attacker attempts to compromise the user’s ability to give his data to him. Intruders often use manipulation, extortion, deception, pressure on the user, and other insidious ways to get the user to hand over his bank accounts, account passwords, credit cards, and other confidential data. Examples of phishing attacks you can see below:
- Regular phishing. In this case, the hacker masquerades as someone else’s company and fakes the sender’s address bar under it. And then you see the line with a glimpse, and you think it’s a legitimate company – you send them what they want you to. So the conclusion- read the sender’s address bar carefully, because under the wrong address can be a fraudster.
- Spear phishing. Here, the hacker pretends to be your friend or colleague and asks you to send him something in the mail. If you think this is strange, you didn’t expect such a request from this person, then you better call him back and ask him if he sent it to you directly. Do you know the difference between phishing and spear phishing?
- Smishing and vishing. The attacker works via phone call or text message at this stage. In such texts or calls, intruders warn you about possible hacking or fraud and ask you to switch to an account to eliminate it. You go and lose your data because hackers steal it. Infer-look at the numbers from which you get something.
- Whaling. Here, the attacker works as if from a high-ranking person. He is writing on this behalf some message asking you to send you confidential data – you send and lose all your privacy.
In this type, the attacker is a third party. It decrypts passwords and messages that are transmitted between users. The attacker intercepts these messages. In this case, he can be called an intermediary. To do this, a hacker uses unprotected communication channels. How to avoid man-in-the-middle attack? How not to give all your information to the attacker?
- Enable encryption on your router. If your computer can be accessed so easily, then it doesn’t have the proper encryption. And most likely, the person who can do that is using the technology “sniffer”.
- Use strong credentials and two-factor authentication. To prevent an attacker from redirecting all your traffic to his or her hacked servers, you should change your router credentials from time to time.
- Use a VPN. A VPN can protect your data from man-in-the-middle attacks. It can also provide you with all the guarantees that all the data sent to the servers are in a secure location.
Password Spraying Attack
This attack focuses on password theft. The process is this: the attacker selects several passwords and sprays on many user accounts. These passwords are taken with password dictionaries. Also, they can be the most common combinations such as password1, qwerty, 1111, and other standard passwords. The attackers think of every move and try to bypass the blocking system so that after some attempts, the account will not be blocked. Password spraying – quite careless, a rough form of attack. After several attempts to log in, the site begins to block the entrance.
The Attacker tries to install monitoring tools on the user’s computer and makes a secret key recording. The information is recorded via a keylogger and then passed to the attacker. Generally, the keylogger is used with good intentions to monitor employees and improve UX, but even here the attackers have learned to turn it for their evil intentions.
This type of attack involves intercepting network traffic for data collection and monitoring. The most common way to do this is with connections that do not use encryption. Most often, these can be Wi-Fi connections. Therefore, learn how to use public Wi-Fi safely: risks to watch out for. This attack comes under SSL – traffic that the attacker intercepts through an attempt to connect to a secure website.
How to Prevent Password Attacks
Our data is a part of our life, everyone, and we would not like any hackers to use it against us for their own good and desire for financial gain. Below we will give some tips on how to avoid or prevent an attack by an intruder:
- Enforce strong password policies. To begin with, your passwords must be created correctly and securely. The number of characters should be at least 8, and the password itself should use not only letters or numbers but also capital letters and the inclusion of special characters. Your password must not contain any confidential information about you.
- Organization-wide password security training. A crowded organization must notify its employees of suspected attacks and precautions. Therefore, employees should be aware of the creation of strong passwords and social engineering, through which disguised intruders can attack.
- Enable Multi-Factor Authentication. Multi-factor authentication provides a more reliable security system. It provides additional security measures for the use of passwords.
- Use a password manager. Password Manager is designed to help web administrators store and manage user credentials. This method will also help you generate a complex and strong password according to your security policy. Data is more protected from data leakage, as user credentials are stored in encrypted databases.
- Phishing attack is a kind of attack tricking you into sharing login/password, credit card, and other.