Passwords are used to protect sensitive areas in the digital world. But there are different ways to crack passwords and get access to the protected area. Many security breaches involve access of unauthorized users by taking over an authorized account. There are seven ways of Password attacking
- Brute Force
- Dictionary Attack
- Phishing
- Rainbow Table
- Credential Stuffing
- Password Spraying
- Keylogger
1. Brute Force:
Is the most common one. The attacker will try to guess the correct password by using all the possible password combinations. Usually brute forcing starts with the easiest combination and works its way up to more complex combinations until it eventually guesses the correct combination.
2. Dictionary Attack:
Is similar to brute forcing, but the attacker does not randomly try to guess the password, but uses dictionaries to try out whole words or word combinations.
3. Phishing:
Instead of guessing the password, the attacker may just ask the user for it. To increase the rate of success, the attacker may pretend to be a known, legitimate service. For this attack often emails are sent to the target and lead them to a website with input fields for the credentials. Or the attacker may pretend to be the companies IT and ask for the data. This is called social engineering.
4. Rainbow Table:
Normal internet services use hash algorithms to turn users plain text passwords into a unreadable strings of letters, numbers and symbols. The password hash can then be stored in a database without the fear of a database breach leading to directly exposing the plain users passwords. However, if an attacker gets the users hashes and already has a full list of pre-computed hashes, he logically has the correct plain text password of the according hash. A list like this is called Rainbow Table.
5. Credential Stuffing:
Attackers will try acquired passwords and usernames for one service at other services as well. This may work, because users often re-use passwords and usernames for multiple services. This is similar to brute force attacking, but is way more effective because the attacker already have known passwords.
6. Password Spraying: Is part of the brute force family. The attacker will try many accounts of the service with a few commonly used passwords. Success is, if any of the users use one of these usually weak passwords. Instead of trying near endless passwords for one users account, the attacker uses one or a few passwords for many users.
7. Keylogger:
Will be installed on the victims system and log all the keyboard inputs of the user. Even safe passwords will be acquired easily with this method.
Prevention:
- Only allow long passwords that take a long time to guess by brute force
- Don’t use common words, so a dictionary attack would not work
- Do unusual things like putting a symbol inside a word like “pa:ssword”
- Do not re-use passwords
- Not rely only on passwords for authentication, but use multi-factor authentication instead