In a world where everything from socializing and shopping to banking and healthcare is online, the importance of securing accounts cannot be emphasized enough. In this regard, passwords play a major role in protecting these identities. But are your passwords really safe? What do attackers do to lay hands on them? And most importantly, how do you stop them?
In this guide, we discuss some popular password attacks, such as phishing, brute-forcing, and keylogging, along with some tips on how not to fall prey to them.
In a phishing attack, the attacker tries to trick users into providing their password by sending emails that look legitimate. These attacks are crafted with one goal: Steal credentials from users.
Regular phishing emails are mass-targeted emails in which the attacker targets accounts on a well-known service in order to obtain sensitive information. These emails are sent from an email address that’s similar to the actual service, making it difficult to distinguish between real and fake and email addresses.
The email content can be anything from a password reset link to a request for an information update. They usually urge the receiver to act quickly. Since they’re mass-targeted, these emails use generic terms such as “user,” “customer,” or “client” to address the receiver.
Spear phishing attacks are targeted specifically at a user or an organization and are perpetrated by hackers posing as a trusted service that could be used by the organization, such as payroll, suppliers, or other third-party subscriptions. Since it’s more personalized, the chances of targeted receivers becoming victims is high.
These emails come in many forms, including:
Attacks try their best to mimic the legitimate domain, but with a bit of scrutiny you can easily spot fake email addresses.
Hover your mouse over the link text and check if the link is the same as the link text. Attackers use shortened link texts to make it look legitimate.
Don’t hesitate to contact the person or the organization directly to confirm the email is really from them. If you aren’t able to identify the name in the email address, it’s most likely fake.
If you aren’t sure about the email, don’t hesitate to mark it as spam or contact your IT team.
In a man-in-the-middle (MITM) attack, attackers either try to intercept communications or impersonate a trusted authority in order to steal passwords and usernames. MITM attackers can also go one step further and manipulate communication at both ends.
One of the most common ways of carrying out a MITM attack is setting up free, passwordless Wi-Fi hotspots in public spaces. Using this technique, attackers take advantage of the fact that communication over an unprotected network is readable. When unsuspecting users connect to these hotspots, the attacker becomes privy to all their information, including their credentials.
If the communication is over SSL, the attacker deploys various decryption techniques such as HTTPS spoofing, SSL beast, SSL hijacking, or SSL stripping to decrypt user information.
Information sent over insecure public networks is easily visible to third parties. A good practice is to not connect to any public hotspots that are not password protected.
Encrypted information is harder for MITM attackers to crack. Enabling encryption on your router along with using strong credentials are good practices.
When accessing your office network or a critical business network from remote locations, VPNs add a layer of protection by encrypting your traffic.
Brute-force attacks are the most popular password attacks in which the attacker tries out different login passwords until they find the right one. There are two types of brute-force attacks: online and offline.
Online brute-force attacks are performed by bots that try different combinations of login information on the targeted service. It's easier to brute-force shorter passwords than longer ones. Some tools used for online brute-force attacks are Medusa, ncrack, and patator. However, online attacks can be thwarted if the account is locked out after a few logins.
To eliminate the problem of account lockouts, attackers perform offline brute-force attacks. In offline attacks, attackers use various tools and techniques to decrypt stolen password hashes. One such technique is the dictionary method, also known as the dictionary attack.
Originally, dictionary attacks were a type of brute-force attack where the attacker guessed passwords against a dictionary of words. This dictionary has expanded from lists of words to lists of the most common passwords, their variations when substituting similar-looking numbers or symbols, lists of previously breached passwords, and more.
For more efficiency, attackers sometimes use rainbow tables, which are pre-computed databases of hashed passwords. The stolen hash can be looked up on the rainbow table to find the corresponding plaintext password.
Some popular dictionary attack tools include Cain and Abel, Crack, Aircrack-ng, John the Ripper, L0phtCrack, Metasploit Project, Ophcrack, and Cryptool.
The more complex a password is, the more difficult it is to guess or brute-force. A strong password is 8-15 characters long with a mix of numbers, cased letters, and special characters. Use a password generator or manager to protect yourself from password attacks.
Multi-factor authentication (MFA) adds an extra layer of authentication to the login process. Even if they have access to your credentials, attackers will be locked out if they try to log in when MFA is enabled.
Changing passwords invalidates stolen credentials. It's a good practice to change your passwords every 45 or 90 days.
Credential stuffing is unlike brute-force attacks in the sense that the attacker obtains a list of passwords and tries it across different services as opposed to a single service. These attacks rely on the possibility of the same password being used across different services or the reuse of old passwords.
Credential stuffing works with already available plaintext password combinations. Attackers set up several bots that try out stolen credentials across multiple sites and accounts simultaneously. This way, attackers successfully avoid the issue of account lockouts. Credential stuffing attacks have a higher chance of succeeding where brute-force attacks fail, all while evading detection.
Email addresses have greater visibility. By using different usernames, you reduce the chances of being exploited.
A password manager can keep track of different usernames and passwords across websites.
When bots are used to perform credential stuffing, using MFA and CAPTCHAs can be effective to thwart them.
Headless browsers can bypass CAPTCHAs, so they're indicative of suspicious activity.
Check for IP addresses that try to log in to multiple accounts and block them.
Touted as one of the oldest form of cyberattacks, keylogging spyware, if installed on your system, can record every keyboard stroke and pass on the information to attackers through the web.
Keylogging hardware and software is highly useful in applications such as telemetry, development, and testing, where it helps in debugging, proving IT compliance in some corporate environments, and so on. It's sometimes built-in as a hardware or a software feature. However, attackers exploit this functionality in malicious ways.
One example is when they build malware with keystroke logging. These malicious keyloggers can be propagated through techniques such as phishing or vulnerability exploits, or built into malicious websites and apps. When these websites or apps access systems through the web or through direct installation, they quietly spy and collect passwords and other sensitive information. This information is sent over the web to their command and control (C&C) servers.
Antivirus solutions can scan your downloads for malware and quarantine suspicious applications.
Malware installations can happen via phishing. Check out the section on phishing for more information.
Keystroke logging spyware is usually programmed to contact malicious C&C servers from your network. Monitoring outbound traffic with threat intelligence software can help you detect and remediate spyware in your network.
When keystroke logging spyware is disguised as legitimate software, it can go undetected by antivirus solutions. It's recommended to monitor suspicious activity around a software installation such as multiple login attempts or installations in unusual drives.
Zoho Corporation Pvt. Ltd. Tous droits réservés.