In the 1960s, MIT's Compatible Time-Sharing System (CTSS) pioneered the use of passwords to grant individual users access to a computer system. And what could be considered the first-ever computer password theft was as simple as printing out the list of passwords stored on the system. No, really—this was done in 1962 by PhD researcher Allen Scherr so that he could access CTSS outside of his weekly allocated time.
Take a look at how far password theft and attacks have progressed in recent years. Every second of every day, organisations are fighting against cutting-edge hacking technology, and identity access has grown massively more sophisticated than merely remembering one unique word.
Because password theft is a constant problem, we've compiled a list of the eight most prevalent types of password-related attacks so you can keep your staff safe online and protect your company's data. Knowing what you're up against would be half the problem, and besides.
1. Phishing Attacks
Phishing is the type of password-related attempt that is now attracting the most social media attention, and it's easy to see why. Being targeted can't be avoided in 2020, with 75% of firms having endured a phishing attack—but falling for phishing attempts can.
The dilemma with phishing is that it relies on human error to work. Users willingly hand away from their private information on a plate instead of having to crack a password. And why do they do it in the first place? Because they aren't aware that they are handing aside their individual information to hackers.
Phishing functions in this manner. A hacker will send their target an email that appears to be from a legitimate source as a bank, network provider, or delivery service—and ask them to conduct a specific activity. As an example, consider PayPal. A hacker may send an email that looks like it came from PayPal, advising their target that their account has been frozen until they verify their identity online. When a person clicks on the link to the phoney PayPal site and inputs their credentials on this page, the hacker gets their information and may log in to their target's legitimate PayPal account.
But it doesn't halt there: if the user reused the password across countless stories, the hacker now has access to all of those accounts! This effectively takes us to our next topic.
2. Credential Stuffing Attacks
Humans, on the other hand, have famously awful recollections. That's why the possibility of memorising a variety of thousands of passwords for various accounts and changing them every three months is daunting.
According to a Google report, six out of ten consumers use the same password for several accounts as a result of this. This exposes upwards of half of the population to credential stuffing attacks, especially if one or more of their accounts has already been compromised.
Credential stuffing takes advantage of people's natural desire to overuse passwords. A hacker will utilise a variety of stolen usernames and passwords in this form of attack in the hopes of gaining access to an account where the victim has reused a hacked password. Hackers can get stolen passwords from the Dark Web or simply reuse ones they've already stolen through other means. This programme, https://haveibeenpwned.com/, can tell you if your passwords have been hacked on the dark web.
3. Brute Force Attacks
Brute force tactics are one of the most common and simple ways for hackers to obtain access to accounts, which explain why they're so common. In fact, it's believed that these types of attacks are responsible for 80% of all hacker breaches.
In order to get access to a user's account, a hacker will use a computer software to test various possible letter, number, and symbol sequences character by character until they find the appropriate combination.
This is done in a systematic manner, usually starting with the most common passwords—which is why "123456" and "password" (weak password) are cracked in less than a second. The programme is usually automated, and it can take into account password criteria such as a minimum character limit and the inclusion of a number or symbol, as well as bypass constraints on how many attempts can be made before the account is locked.
4. Dictionary Attacks
While dictionary exploits and brute force attacks are similar, there is a significant distinction. Rather than attempting to crack a password character by character, a dictionary attack begins to move through a list of commonly used words and phrases.
Dictionary attacks often use permutations of regularly used terms, but more advanced attacks employ details that are designed for specific users—and these details are readily available online. In fact, identifying an employee's pet's name from their Instagram account or their favourite band from their Spotify profile can take seconds.
5. Password Spraying Attacks
Password spraying, like that of the user’s password, is a sort of brute force violent attack that tries to enter accounts using regularly used passwords. A password spraying assault differs from other types of attacks in that it can target hundreds or even millions of people at once, rather than just one account, as the word "spraying" implies.
The chance of the hacker being caught by account lockout restrictions induced by numerous failed login attempts is also reduced by distributing login attempts across multiple users and organisations rather than one single user.
Password spraying attacks are frequent on single sign-on and cloud-based platforms, and they can be very harmful.
6. Keylogger Attacks
Keystroke loggers, often known as keyloggers, are particularly harmful since they may penetrate even the toughest passwords. Imagine someone looking over your shoulder while you punch in a password—no matter how strong the password is, they already know it since they saw you enter it in.
That's how keyloggers work: they eavesdrop on their target and record their passwords as they type them in, rather than deciphering them. Keyloggers record anything you type, not just passwords. This means that hackers don't have to guess usernames because they've already saved them.
Keyloggers are a sort of spyware that works by infecting a victim's device with malware. Software keyloggers are significantly more common than physical device keyloggers. This implies that in order to infect a victim's device, they must first gain access to it—usually through a phishing attack, a drive-by download, or a trojan. Keyloggers are nearly impossible to detect after they've infected a system, which is why, in this case, prevention is the best defence.
7. Man-In-The-Middle Attacks
MitM attacks are virtually self-explanatory—they entail data interception in transit. A hacker will sit in the middle of two separate locations, relaying data between them. Consider this scenario: three people are seated side by side, and the two on the outside must interact with each other through the person in the middle. Except during MitM assaults, the victims are completely unaware of the presence of the person in the centre.
A hacker will most likely use a proxy to obscure the fact that data is being intercepted in need to carry out an attack. To continue with our PayPal example, the hacker may create a bogus PayPal login page and tempt the victim to submit their credentials—but it doesn't stop there. The hacker will then grant the user access to their bogus site while leveraging the stolen credentials to access the victim's account on the legitimate PayPal site. The hacker then simulates the victim's actions on the real site and sends any responses back to the victim.
8. Rainbow Table Attacks
To understand how a rainbow table assault works, we must first grasp the concept of hashing. Hashing is the technique by which organisations transform and encrypt users' passwords so that they are stored as cryptographic sequences of characters within the system. When a user inputs their password after that, it is hashed automatically, and the hashed value is compared to the value stored in the system. If someone were to gain access to this password database, they would see the encrypted values rather than the actual passwords.
Rainbow table attacks are similar to dictionary attacks, that instead of a list of words, they utilise a rainbow table to crack passwords faster. Pre-computed hash functions are preserved alongside their hashed data in a rainbow table, which is fundamentally the key to decrypting encrypted passwords. A hacker can use it to compare values to this table and decrypt your database's hashed passwords. On the dark web, rainbow tables containing the answers to the following hashing algorithms can be discovered, as well as built using hacking tools like Rainbow Crack and 0phcrack.
Preventing Password-Related Attacks
When it comes to password security, the best defence is prevention. It's usually preferable to prevent attacks from occurring in the first place rather than having to defend your company afterwards.
The following are some of the most efficient strategies to protect your company from these disastrous password-related attacks:
- Implementing a password policy
- Enforcing a strong multi-factor authentication
- Investing in privileged access management
- Using a password manager
As a result, while hacking methodologies have expanded outside of just printing lists of users' passwords, our countermeasures have also had to change. And offering a reliable password solution in place for your company can mean the difference between a major data exposure and business as usual. Is the risk of not implementing one worth it?
YOU MAY ALSO LIKE
If you are a Microsoft Outlook user, it is very likely that at one time or another you have received the following error…
If you're the only one who knows your account's login information, getting the duplicate login detection error in Rocket…
The login page on a website is an important aspect of the user experience. It is the baseline for everything from logging…
Social login is a fantastic concept that arose from the massive amount of Social Media accounts that exist nowadays. We…
Google Meet is one of the popular video conferencing platforms. Like all Google apps, Google Meet comes with many features…