People generally try to keep everything protected, be it their homes, children, or online portals. Yet online portals hang on by the thread. No matter how strong you try to synthesize your password, hackers out there are always ready to break in to practice their skills or for fun.
Studies have been carried out regarding people’s carelessness while setting up passwords. Some people are still not getting better than 12345 or 0000 despite being aware of all the possible online password attacks.
Here is a study expressing the same concern. Read here.
This makes cracking passwords one of the most common attacks carried out nowadays. People are aware of some common password attacks like Dictionary Attack or Brute Force, yet there are many more possible password attacks that everyone should be mindful of.
Let’s dive into the list of some of the most common password attacks.
1. Dictionary attack:
Dictionary Attack works on luck and ‘Guess Word.’ Attackers attack by using the most common possible passwords like- company/ website’s names, owner’s name, or trendy numerical combinations like- 123456789 or 1234 or 00000.
Attackers start by sketching out a list of highly possible passwords and shooting their shots.
Dictionary attacks are highly unsuccessful as it is purely luck based for the attacker, further, by the awareness and dreadful online cases; people are becoming more aware of the possible threats and have terminated to use the most common passwords.
Even if you are willing to use a common word/phrase as your password, try mixing it up with numerals and uppercase letters, try to employ too random combinations, it gives a certain amount of a hard time to the attackers leading to unfollow your trail.
Read here further about Dictionary Attacks.
2. Man in the middle:
Man in the Middle or MTM is one of the attacks which one can never see coming; instead, you hand out your passwords and other details to the attacker yourself!
Let’s understand this with the help of an example:
You are casually checking your mailbox and see a mail with a link from your bank asking about the confirmations about your bank details. You open the link and get directed to a website that looks like your bank’s official website. You fill out the details- email addresses, phone number, and passwords.
This website might look legitimate, but it is a Man in the Middle in action as your bank never asks for password confirmations of such random notices. The attacker who created a clone of your bank’s website doesn’t have second thoughts while handling your confidential details.
To avoid such an attack, make sure the URL of the website has S in ‘HTTPS,’ avoid connecting to the local public wifi hotspots, and secure your Wi-Fi networks. Also, instead of directly clicking on the link sent via the mail like in the example we discussed earlier, try typing the link manually.
Read here more about Man in the Middle password attacks.
3. Brute Force Attacks:
Brute Force attack is generally referred to as “ Upgraded Trial of Dictionary Attack.”
Some of the attackers’ intentions trying to attempt Brute Force are: to sell the credentials to the third party, redirection of domains to websites holding malicious work, damage the reputation of the company/ website/ individual, etc.
Attackers who try to work out Brute Force Attack use programs or specific software to guess the password until the correct password is disclosed. Brute Force Attackers use numerous possibilities and combinations, making it difficult for a human alone.
Hence justifying its name, “Upgraded Trial of Dictionary Attack.” They use tools like John the Ripper, RainbowCrack, Aircrack-ng, etc.
There are numerous types of Brute Force Attack:
- Reverse Brute Force Attack: Instead of hitting a solo username, attackers use a collaborative group of passwords.
- Credential Stuffing: When attackers gain access to one set of usernames and passwords, they try out using the same password for other websites and network resources, as people tend to use the same password for multiple websites.
- Hybrid Brute Force Attacks: Targeting the most common possible password is an incredibly tireless process for the Brute Force Attack bot to crack in if your password is ‘password.’
Luckily it is quite effortless to protect your websites from Brute Force Attacks.
Ensure you are using strong random passwords, use minimum login attempts, have a responsible, strong network administration, and educate your administration about the necessity of potential-full passwords and basic knowledge on security habits.
Read here more about Brute Force Attacks.
4. Keylogger Attacks:
Keylogger Attacks is one of the oldest practices of online threats by attackers. It is a monitoring process of recording all kinds of keystrokes performed by the user through pattern recognition.
These keystrokes loggers record all the strokes and sell it to third-party for-profits, like your personal details, bank account details, etc.
Keyloggers can be either hardware or software-based. Hardware-based merely juggle between the computer’s port and keyboard connector, whereas the software-based are the applications used unknowingly or malware which are infecting the device.
People generally wonder how hackers use keyloggers. If a keylogger successfully keeps a record of your keystrokes within a large organization of a database, they can even gain access to your servers and laptops, further exposing large chunks of your data, which they can sell for massive profits.
‘Corporate Keylogging’ is a big market that monitors friends, family, or partners. It is a legal practice if the user is aware of it or downloading the keylogging apps himself.
In workplaces, IT can use keystrokes to fix user problems, help in security incidents, etc. Windows 10 comes pre-packed with its version of keylogger for telemetry purposes.
Anyhow, all the employees or individuals must be informed about such keylogging monitoring processes failing, which can come under the crime of invading a person’s privacy.
To avoid being attacked by keyloggers, try out the points noted down below:
- Give preference to virtual keyboards(onscreen).
- Set up a firm password policy.
- Install Anti-keylogger software.
- Keep a tab on all the resource allocation, processes, and data.
Read here more about Keylogger attacks.
5. Password Spraying:
Password Spraying is a variant of Brute Force Attack. It is an attack where the attacker tries to crack in a single account in a brief time by guessing the password repeatedly.
This is the main reason why most organizations and websites have a policy of locking the account after three or five wrong password attempts.
Hence attackers try out one password across multiple websites before moving ahead with another password called “Password Spraying.” Once the attacker gets in, he can move laterally and can quickly gain access to sensitive data and critical applications.
For this attack, attackers have a bunch of techniques- easily guessed passwords like “password” could leverage the spray attack, to attack even further accounts, the attackers target the compromised accounts to obtain lists of email addresses, extensive online research, and other engineering tactics helps in identification of target organizations and other accounts.
To save yourself from Password Spray Attacks, regularly check your password management program, enable and effectively configure MFA(multi-factor authentication), use strong passwords with too random combinations, and make sure your organization’s Help Desk is well decked with the documented procedures for password resets if someone faces ‘user logouts.’
6. Social Engineering Attacks:
Social Engineering Attacks might fall on the ears as easy ones. Instead, they are known to deliver some of the worst damages. Social Engineering Attacks attack the victim psychologically, manipulates them to hand over all the confidential details.
Social Engineering Attackers send out emails or use any other communication services that infuriate fear or urgency in the minds of victims that provoke them to open the malicious link. They, in a sense of urgency, hand out all the personal details.
There are multiple techniques of Social Engineering Attacks:
It is a form of malpractice that forges the user to hand out the personal credentials, for example, malicious links of movie and song downloads. Baiting is not only restricted to online attacks. Attackers can exploit via physical medium too. Attackers fall out USBs or other infected devices in public or near the target, hoping that they pick it up.
It is one of the most common types of Social Engineering Attacks. The attackers fool the users into handing down their personal information like SSN, names, passwords, etc.
Attackers use misleading URLs that look too real to ignore, and the users land on the phishing landing pages. Fear and a sense of urgency lead the users to respond quickly. No two phishing emails are entirely similar. Anyhow, all the emails aim to fetch out all the data from the user himself.
Also referred to as “Piggybacking,” Tailgating is an act of impersonating the victim. The attacker tries to enter an unauthorized place with the help of an authorized person’s identity.
It is not a very successful technique with large scale corporate or other companies, but attackers have successfully attacked the medium or small scale ones. Attackers try to get familiar with employers and forge this information to enter the target areas.
Other Social Engineering Attacks are Pretexting, Quid Pro Quo, etc.
Read here more about Social Engineering Attacks.
7. Traffic Interception Attack:
Traffic Interception Attack is an attack similar to tapping a phone line or eavesdropping.
For example, two people are standing near a garden and talking about some confidential case and its explicit details under their breath. Some stranger is standing near them and is trying his best to hear about the case details to make a strong case about them. This is called the eavesdropping.
Traffic Interception Attack works similarly. Attackers use multiple software such as Packet Sniffers to keep a record of all the network traffic and try to catch the passwords and other critical information as they pass from the websites
To save yourself from Traffic Interception attacks, make sure you are using a robust encryption method. Weak encryption method makes it easier for the attackers to decrypt all the critical information he has gathered.
Read here more about Cyber Attacks.
Password Attacks are one of the inevitable attacks yet causing severe damages all around the globe. Attackers are selling such critical information for sacks of coins or destroying the reputation of their targets. It’s a growing large illegal market from which a user can save oneself by keeping a few points in mind, which we have mentioned above throughout the article.
Strong passwords are the essential first defense to make it difficult for the attackers to even start with. Try mixing up your passwords with all four types of character types- uppercase, lowercase, numerals, special characters; give random combinations and choose different passwords for distinct websites.
Studies show that an average human keeps a record of thirty to forty passwords, making sure to save all of them in a secured device. Be thorough with your corporation’s cybersecurity policy and raise concerns if you aren’t comfortable with any point.
Few articles you may like to read: