8 Password Attacks and Simple Things You Can Do to Protect Yourself
Passwords are the gateway to a digital frontier. Almost everything we do online requires some sort of a password. Whether that password be alpha-numeric, or just numeric, a strong password is super critical to keep you and your personal data private on the internet. There are many tips for creating a strong password but this white paper is not going to talk about that. The purpose of this white paper is for you to understand the different types of attacks that can be performed in order to either obtain or bypass your password security. If you are on the internet and utilize it to access personal or private information that you do not want others to see, then this article is for you. We’ll be discussing different strategies hackers use to gain access to your sensitive data. If you don’t want to be caught off guard, or if you just want to make sure you are following best practices, keep reading. . . you’ll thank us later.
This article is going to go into an in-depth review of eight different strategies that exist to circumvent the security of a password. Some of these strategies are simple and others require special tools. You’ll be amazed at how easy it is to circumvent a password and the security a password provides. Not all hope is lost, there are many different strategies that developers and individuals can do in order to help mitigate the risks of using a password. Let’s jump into exploring each strategy and discuss what can be done to protect yourself against an attack. Keep in mind that there is no one size fits all solution. In the world of cyber security, you need to think about security in layers. There is no silver bullet that will save and protect you from these attacks. The purpose of this article is to bring awareness so that you as an individual can know what to protect yourself against.
Passwords, in theory, are great because they help identify the person trying to gain access to a system. Whether that be a bank account, healthcare record, or Netflix account, you typically do not want unwanted people from accessing your private and personal data. Most people follow the typical eight character password with some sort of a special character, upper case, and a number. If you really want a secure password, then people use passphrases that are over ten characters long. Depending on the type of password you have, the following attacks will vary. Some take advantage of the language in your password. Others take advantage of the defenses built into the websites or services you are trying to use your password at. By the end of the article, you’ll be aware that no matter what kind of password you have, it’s not enough. You have to be vigilant and utilize passwords along with other forms of protection if you want to be as safe as possible. Again, no matter what you try to do, you’ll never be able to be secure 100%. It’s a game of cat and mouse in the cyber world and as an individual you need to do what you can to keep up.
1) Don’t Write it Down
Number one, no matter how secure your password is, if you write it down you just lost the battle. It doesn’t matter if you have every special character, or if it’s 100 characters long. If you write down your password then you just became extremely vulnerable to an attack. Having a password written down means that anyone with an intention of finding that password can now potentially have access to it. You may be saying, well how are they going to know where my password is “hidden?” That’s a topic for a different article, but we’ll just mention that social engineering is a real thing and a serious threat. Where there’s a will, there’s a way. This is especially true if you keep your password written on a Sticky in plain sight (don’t laugh, many people do this), in a notebook that can be misplaced, or even if you hide it in a drawer. Attackers know where to look and if you make it easy for them, well there’s not much a super secure password can do at that point. Finding your password in written form is a gold mine for an attacker. Do not write your password down. Memorize it and keep it locked in your brain. If you follow safe and secure password strategies then you should know that the most secure passwords are also the easiest to remember. There is no reason why you should be writing down passwords. Even if your password is safe at home, you never know who might gain access to it. Maybe it’s the parental control password you wrote down. If your children find it, there goes the parental controls. Almost as important, don’t share your password. Your password is intended to identify you as an individual. Sharing your password means that other people can pose as you and have the potential to do bad things on your behalf. Sharing your password also means you have just added another vulnerability because you depend on that other person to not write down the password or reuse it for their own use.
2) Change Password from Hacked Websites
The next method is a little more technical, but super easy to fall victim of. You can have the most secure password in the world, following all the best practices but if you use your password on a website that is hacked, change that password immediately. Many companies will say that they encrypt their password so even if they get hacked, access is not granted. But, do you really want to trust a company’s statements? It’s always best to change your password immediately because if someone gains access to a password list, then your password is now compromised. Most people use the same password for multiple websites so hackers are counting on the fact that your Facebook password will be the same password you use for your online banking. Routinely change your passwords even if websites don’t get hacked. You never know when a website might fall victim of an attack.
3)Don’t use HTTP Websites for Password Submission
Another super easy way to get your password stolen is to use a website that isn’t encrypted. When you visit a website, in the URL, you’ll see an HTTP:// This means that a website and its associated traffic are transmitted in plain text. What does that mean to the average user? It means that all the requests going between your computer and the computer where the website lives is in plain English. For most websites that’s fine because the majority of these types of websites are static or don’t require input from the user. When you do want to transmit user input, most websites will encrypt their website using an SSL certificate. You see this in two forms on your browser. First, the URL is changed to an HTTPS which signifies that the traffic is secure and encrypted. Some browsers will also show a tiny lock next to the URL showing that things are secure. Whenever a website is asking you for passwords or credit card information, make sure that the URL is HTTPS and that there’s a little lock. If there isn’t one, that means the website is encrypted and your passwords and credit card information are sent in plain text. This normally doesn’t mean much, but if someone were to be listening to your traffic like at a coffee shop, they could very easily capture your password and then use that password. Again, it doesn’t matter how complicated and secure your password is, if you transmit it over plain text, there’s potential that an attacker can very easily see it.
4) Dictionary Attack
The next methods are a little more technical, but still good to know that they exist and how you can protect yourself against them. The first type of attack is a dictionary attack. This is where a special password cracking software tries to crack your password by running your password against the dictionary. What does this mean to you? If your password is a word that can be found in the dictionary, your password can be compromised in minutes. Even if your password contains special characters to replace specific letters, it is still extremely vulnerable. For example, cupc@ke is still just cupcake. The best course of action here is to make your password something that isn’t found in the dictionary. This adds complexity to your password because it isn’t a word anymore, but it can also mean that your password is super hard to remember now. A different way to combat dictionary passwords and still make them easy to remember is to use a very long passphrase, for example cupc@kesaremyfavoritesdesert. Every additional character in length that your password contains, adds several layers of complexity. Sure, special software may still be able to crack it, but given today’s computing power, it would still take about a century for that password to be cracked. Check your password and make sure you don’t have any words in there that may be found in the dictionary. If you absolutely must have a dictionary word, make sure it’s a very long, but easy to remember password.
5) Brute Force
You may be surprised about this next attack, but it still works. Similar to the dictionary attack, a brute force attack tries every combination of characters until it gets the password just right. This can take forever if you are doing it manually, but just like with dictionary attacks, there is specialized software that allows you to bruteforce a password in minutes. Brute force attacks are effective because most people still use eight character passwords with special characters. It doesn’t matter how complex or how many special characters you used in your password, because eventually, the bruteforce software will arrive at your password. This goes well beyond dictionary attacks, because the password can be just a collection of special characters with no meaning whatsoever and still be vulnerable to this attack. Fortunately, there are two ways to protect yourself against this attack. The first way, you as an individual have control over. Just like with the dictionary attack, make your password long. Make it well over eight characters. For each character over eight, brute forcing gets harder and harder to do. Software and current computing power is optimized for eight characters. Get up to the 15 character area and brute forcing a password can take years if not centuries to crack. The second method is a little more out of your control, but engineers can utilize it to help reduce the likelihood of a bruteforce attack. The simple solution is to implement a password tries limit on any form where a password is required. If too many attempts are attempted, the account gets locked until some time has passed or if you reset your password. This is a simple, but super effective way to fight off brute force attacks. Brute force attacks rely on the fact that they can try every combination of characters to guess your password. This gets exponentially harder to do when you only have 5 attempts at guessing a password before an account gets locked out. Now, this isn’t a one size fits all solution. Where there’s a will there’s a way, and a determined hacker will just keep trying until they are able to bruteforce that password.
Spraying is similar to a brute force attack, but instead of trying to guess your password, an attacker tries to use common passwords on your account. This type of attack requires the attacker to have a list of usernames and then attempts to break into an account by using commonly used passwords such as password123 or qwertyqwerty. There are two things to discuss when it comes to spraying attacks. First how does an attacker get your username and second how can you protect yourself against it. The first question means that the attacker has a long list of usernames. Usually, when a company is hacked, the usernames that they store are unencrypted. If you remember from earlier, we discussed passwords being in plain text or encrypted. Well if a company encrypts their stored passwords but not their usernames, then there is a potential you can fall victim of a spraying attack. There are a couple of ways to protect yourself against this. First, don’t use the same username for every site you sign up for. For your more sensitive accounts, use a different and unique username. Second, do not use a common password. Common passwords are easy to look up, so Google it. If you see your password on that list, change it immediately! Don’t fall victim of this type of attack when there are two very easy things you can do to protect yourself.
7) Rainbow Tables
And finally, perhaps the most sophisticated attack of them all, rainbow tables. Rainbow tables are great for an attacker because it basically allows them to reverse engineer an encrypted password. Companies that encrypt passwords have to use some sort of an encryption algorithm that creates a hash. Using rainbow tables, attackers can use that data to reverse the hash, thus encrypting the passwords and seeing the plain text. As an end user, there isn’t much you can do here to protect yourself against this attack. The only recommendation would be to make sure you change your passwords often. If a website gets hacked, make sure you change your passwords even if they had their passwords encrypted because as you can see, an attacker might be able to use a rainbow table on it.
As an added bonus, I’d like to quickly mention keyloggers. While not specifically an attack just for passwords, keyloggers pose a real threat. A keylogger is a piece of software that is installed on a victim’s computer and records all keystrokes inputted by a user. This keylogger will record all keystrokes regardless of what the end user is typing. Keyloggers can get on a computer in one of two common ways. One, an attacker will email a suspicious file that looks harmless, but is really a keylogger. The second method is to physically install the keylogger by inserting a USB thumb drive with the software preinstalled. In either case, as a computer user you should always be weary and take precautions to make sure you don’t open files on the internet or let someone else use your computer. The keylogger software also usually establishes an internet connection with a remote server where all the data is sent. You can also monitor your network traffic for suspicious addresses that you know you aren’t actually visiting.
There’s a lot that goes into protecting your passwords. As you can see, it’s not enough to have a good, strong password. There is so much more that goes into password safety and good practices. Change your password often and make sure you use long passphrases whenever possible.