Password Attacks: How Much do you Know?

There are a variety of ways hackers can get hold of your passwords to compromise the confidentiality, integrity, and availability of your system/accounts. The type and severity of the attacks will depend on the willingness to get hold of your accounts and whether you present anything of value to the attacker's course. Nonetheless, everyone needs to know the methods hackers can use to get breach the integrity of their passwords. Whether you are a clueless toddler with a tablet or a tech-savvy CEO, understanding password attacks will better help you know how to protect yourself. 

Non-Electronic Password Attacks

Non-electronic password attacks are a common tool for attackers without any deep technical knowledge. Such malicious actors will use subtle ways to get wind of your passwords, more so without your knowledge. One such way is through social engineering, where the individual will manipulate and trick you into revealing your password. The attack might for example, ask about your date of birth, your high school admission number (Mpesa Users wink), or ID number. Because asking these questions directly may raise suspicion, attackers will incorporate their ambitions into stories and casual talks on, for example, past memories. Beware of such people who subtly ask for private information. 

Attackers may also make an attempt on your password by shoulder surfing, i.e., lingering around your workstation to observe you keying in your password. This technique may be difficult to notice, especially in an open plan office. You can avoid this by making sure no one is observing as you input your password. While at the ATM, ensure that you cover the number pad and block the entire area while transacting to prevent those behind you from observing your actions. 

Malicious individuals may also attempt to gain your password by dumpster diving, i.e., looking for pieces of clues of discarded passwords in places such as dustbins, shredders, or recycling areas. Beware by not writing down your passwords or having sensitive pieces of information on your desk. Otherwise, completely destroy such information by fire. Just don't light up the whole office. You may end up having no computer to log into with your much cherished password. 

Active Online Attacks

These kinds of attacks require increased technical knowledge. They involve direct communication with the victim's machine since they require active interaction. 

Dictionary attacks. This is where attackers make use of sets of common words and characters, such as those in the dictionary or lists of commonly used words (such as password or 123456789) to determine potential passwords. Often, your password will be matched against dictionary entries. When they do match, the attacker effectively gains access to your machine. This is why it is recommended that you use non-common and non-dictionary passwords, and further improve them by adding special symbols, numbers, and having longer password lengths. 

Brute force attacks. With brute force attacks, attackers will try every possible combination of guessed passwords to determine your real password. This is a largely non-technical method to gain passwords, and will typically take a longer time to crack especially if the attacker has no prior clues. Attackers may use this method in conjunction with, or where other password attacks have failed. Call it desperation. 

Rule-based attack. An attacker may attempt to gain your password by following predefined rules for the system. For example, where a machine requires at least 8 characters long for passwords, an attacker may, in conjunction with other attacks, try passwords only 8 characters long or more. As a simple example, since a PIN typically requires 4 numbers, an attacker will only try different combinations of 4 numbers and not other types of characters. 

Spyware and Keyloggers. Most modern password attacks depend on malicious codes silently running behind processes to gather password information. These spyware actively monitor your sites to harvest data such as those sent to online forms. Also, keyloggers are used to monitor keystrokes that are then sent back to the attackers. It is recommended that you have antivirus solutions that continually scan and monitor your system for spyware, trojan, and keyloggers. 

To protect against these and other online attacks, also adhere to recommended password hygiene. In the figure below, notice how simple it is to conduct active online attacks on weak passwords.  

Passive Online Attacks

These are types of attacks that involve indirect communication with the target machine. Such an example is wire-sniffing where network traffic is intercepted with tools such as packet sniffers. The captured traffic can reveal passwords if the data travels unencrypted. This calls for strong encryption standards for data in transit.

Man-in-The-Middle attacks are also common in gathering passwords.  Here, an attacker will strategically eavesdrop on communication between parties, and sometimes hijack the process to impersonate either of the parties to gain passwords. This type of attack can also be curbed by implementing strong encryption mechanisms between devices. 

Closely related to man-in-the middle attack is the replay attack. In order to gain knowledge of your password, an attacker will intercept network traffic and delay or resend it to the receiver to cause erratic actions leading to false identification or authentication. A replay attack can give access to a system even when the attacker does not know the real passwords. This can be prevented by using digital signatures with time stamps and additional information unique to a session or transaction. 

Offline Attacks

When attackers harvest password files for cracking at a later time on different infrastructure and location, they are performing offline attacks. Later, they may use the results to gain entry to your system. The most common example of offline attacks is the rainbow table attack. Here, a database (rainbow table) containing password hashes is obtained. Through this database, an attacker can crack passwords by converting probable passwords into hashes that are then matched with those in the database. If the hashes match, then the password is effectively discovered. Rainbow table attacks are less common these days because of the salting technique where random strings of characters are added to password hashes to make it difficult to decrypt passwords to plain text. 

Otherwise, you may use biometric authentication for your devices to get rid of rainbow table attacks as well as other password attacks discussed above. Be wary, be smart. Do not be overconfident of your password. This is where it all starts to go wrong!


Post a Comment

Impressed? Leave a comment!

Was that insightful? Read more articles below

Enough with Numbers and Versions!

Mobile Viruses - The Stronger Foes