In the world of the internet, millions of User accounts are created every day and so are their passwords, being an essential medium to access a user account. Strong passwords are considered as the first defense against password attacks.
According to the 2019 Data Breaches report by Verizon 29% of all the breaches involved the use of stolen credentials due to which many of the tech companies are making a push towards Non-password logins by making use of other technologies like biometrics. As a result, it does not only reduce the risk of passwords but also reduces the prevalence of phishing attacks.
Types of Passwords Attacks
There are various forms of Password attacks that affect billions of users and must be known to all the Internet Users in order to avoid any bandit to sneak their data. The most common attacks carried out nowadays are related to cracking passwords, and the most commonly known password attack is only brute-forcing. There are, in fact, other kinds of attacks around passwords that should be known to all the users.
Brute force attack: In a brute force attack, a hacker uses a computer program to login to a user’s account with all possible password combinations. Moreover, brute force accounts don’t start at random; instead, they start with the easiest-to-guess passwords.
Dictionary attack: A dictionary attack only tries possibilities of passwords most likely to succeed whereas brute force attack goes letter by letter. As the name signifies, it takes up common Dictionary words to decode a password, like January 2020 or April@2020.
Phishing: In a phishing attack, hackers disguise their phishing attacks as unsuspecting emails, posing as legitimate and known services. From these emails, hackers take users to fake login pages disguised as a legitimate service. Often, the hackers add a subtle, threatening dimension to their emails like the prospect of service cancellation. This forces the users to hand over their credentials before giving it careful consideration.
Rainbow table attack: Rainbow table attacks are such that form a point on the spectrum of the space-time trade-off that occurs in exhaustive attacks. Traditional brute force attacks store no precomputed data and compute each hash at run time using minimal space and taking a long time. Rainbow tables form hash chains of length k and only store the endpoints of each chain. This reduces storage from the brute force case of n to 2n ÷ k (where n is the number of passwords we can quickly break).
Credential stuffing: In a credential stuffing attack, hackers use lists of stolen usernames and passwords in combination on various accounts, automatically trying over and over until they hit a match. Credential stuffing relies on users’ tendency to reuse their passwords for multiple accounts, often to great success. Further, hackers share stolen passwords on the Dark Web or sell them, so this information proliferates among threat actors.
Password spraying: A Password spraying attack is made by hackers by getting a list of the most commonly used passwords across the web or even from past intelligence gathered on the target, and attacking the target by trying these concrete sets of passwords.
Keylogger Attack: One of the most insidious kinds of attacks hackers increasingly use involve “keyloggers.” Keyloggers record every keystroke a device user types into a mobile, laptop, or desktop computer. The server records user ids, passwords, account details, and SMS messages. Cybercriminals can then monitor user communications and even withdraw money from victims’ bank accounts.
Traffic interception: In this attack, the cyber criminal uses software such as packet sniffers to monitor network traffic and capture passwords as they’re passed. Similar to eavesdropping or tapping a phone line, the software monitors and captures critical information, where the attack is made easier when passed on the network without any encryption. Although, encrypted information may be decrypted, depending on the strength of the encryption method used.
Man-in-the-middle: In this attack, the hacker’s program doesn’t just monitor information being passed but actively inserts itself in the middle of the interaction, usually by impersonating a website or app. This allows the program to capture the Password attacks user’s credentials and other sensitive information, such as account numbers, social security numbers, etc. Man in the middle (MITM) attacks are often facilitated by social engineering attacks which lure the user to a fake site.
Prevention Methodologies against Password attack
The latest NIST guidelines recommend easy to remember and difficult to guess passwords. A good mix of upper and lowercase characters, numbers, and special characters can help in protecting an account against nasty hackers, with a recommendation to avoid using common words and common phrases and completely avoiding site-specific words (including the name of the app you’re logging into in the password, for instance). NIST also recommends checking passwords against a dictionary of known poor passwords.
Employee education also plays an important role in safeguarding accounts against Password attacks. One of the best defenses against social engineering tactics is teaching users the techniques hackers use while attacking an account and how to recognize them. Strong passwords and education really aren’t enough these days, though. Computing power allows cybercriminals to run sophisticated programs to obtain or try massive numbers of credentials, hence, NIST also recommends not relying on passwords alone.
Specifically, companies should adopt tools like single sign-on (SSO) and multi-factor authentication (MFA), also known as two-factor authentication. SSO helps eliminate passwords by letting employees login to all their apps and sites with just one set of credentials. Users only need to remember one, strong password. MFA requires an additional piece of information when the user logs in, such as a pin generated by an application like OneLogin Protect or fingerprint authentication. This additional piece of information makes it far more difficult for cybercriminals to impersonate a user.