Cyber Security: Password Attacks
Hi everyone, welcome back. Cyber security is an important area of focus. There is a whole lot of data that is being stored and transmitted digitally. This includes sensitive data that could potentially cause damage to someone or even a whole company. We will go over some common attacks used regarding passwords. With this introduction out of the way, let’s get into it.
Dictionary attacks is one of the most common type of password attacks. A dictionary attack uses all of the words in a dictionary, or any list of specific keywords such as a list of previously breached passwords, to attempt to crack passwords. Special characters and numbers don’t appear in the words of a dictionary. So dictionary attacks won’t crack passwords that contain special characters or numbers. Oddly, misspelled words being used as passwords that don’t appear in the dictionary also won’t be cracked.
This is another common type of attack used regarding passwords. A brute-force attack will run through all the different combinations of characters to attempt to crack a password. These characters include letters, numbers, and special characters. Having a password with random characters and salt will slow down the attack, but eventually, if given unlimited tries and enough time, the brute force attack can crack any password combination.
A hybrid attack is a mix between a dictionary attack and a brute-force attack. It will use a list of known words such as a dictionary or specific keywords such as a list of previously breached passwords, then add on combinations from the brute-force method.
Password Spraying Attack
A password spraying attack is a method in which an attacker will try a common password on many accounts, rather than a traditional brute-force attack that tries a number of password combinations on a single account. This may be used to avoid account lockouts that might occur when attempting a brute-force attack. Password spraying accounts are commonly found in applications or systems that set of default password on account creation.
There are a few different methods that can be used to mitigate these types of password attacks. You have likely seen most or all of these methods. Let’s start with the first mitigation:
- CAPTCHA: Having CAPTCHA implemented will not allow user submission if the CAPTCHA is not successfully filled out.
- Account Lockout: Setting a number of login attempts before locking down an account can prevent password attacks.
- Salting: Salting is used to add random characters into a password to help prevent a password from being cracked. Salting can prevent a dictionary attack and slow down a brute-force attack.
- Password Requirements: Requiring numbers, special characters, and a minimum number of characters, allows for a stronger password. Having these requirements on passwords can prevent a dictionary attack and slow down a brute-force attack.
Things NOT TO DO. When creating a password, avoid using common words, keeping a default password, or have a simple password.
These are some common attacks that are used regarding passwords. Hopefully this raises some awareness of what can happen during these types of attacks. We went over password attacks, but also some common mitigations that can be used to prevent these attacks. Keep up with the good security practices. I hope this helps. Thanks for reading.