What is a password attack?
Password attacks are just that: an effort by a third party to gain access to your systems by guessing a user’s password. These kinds of password assaults usually don’t require any malicious malware or apps to be installed on the device. Attackers may try to crack your password with software, although this software is often installed on their own computer.
Programs utilize a lot of tactics to obtain access to accounts, such as brute force assaults, to guess passwords and matching different word combinations against a dictionary list.
Types of Password Attacks
Phishing is when a hacker impersonates a trustworthy entity and sends you a bogus email in the hopes that you will freely provide your personal information. They may redirect you to a bogus “Reset your password” page or install dangerous software on your machine.
To avoid phishing attempts, take the following precautions:
Take a look at the email’s sender: Examine From the subject line of each email, double-check that the person they claim to be corresponds to the email address you expect.
Check the source again: If in doubt, contact the person who sent the email to confirm that it was sent by them.
Consult your company’s IT department: Your company’s IT department will generally tell you whether an email you receive is legitimate.
Attack by a man-in-the-middle
Man-in-the-middle (MitM) attacks occur when a hacker or compromised device stands in the middle of two uncorrupted entities or systems and decodes the data they’re transferring, including passwords. If Alice and Bob are exchanging notes in class and Jeremy is in charge of transmitting those notes, Jeremy can play the part of the guy in the middle. In 2017, Equifax removed its applications from the App Store and Google Play store because they were transferring sensitive data across unstable networks, allowing hackers to steal personal information.
Implement the following procedures to avoid man-in-the-middle attacks:
If someone on the street has access to your modem and router, they can use “sniffer” equipment to view the data that flows over it. Encryption should be activated on your router.
Use strong credentials and two-factor authentication: Several routers’ default login and password are never changed. If a hacker obtains access to the admin panel of your router, they can divert all of your traffic to their hacked servers.
Using a virtual private network (VPN) to protect your privacy: A secured virtual private network (VPN) can assist prevent man-in-the-middle attacks by guaranteeing that all of the servers to which you transfer data are trusted.
Brute force attack
If a password is the equivalent of using a key to enter a lock, a brute force assault is a battering ram. A hacker will attempt 2.18 trillion password/username combinations in 22 seconds, and if your password is simple, your account may be targeted.
Implement the following procedures to assist against brute force attacks:
Use a password that is tough to guess: A mixed case, mixed-character, ten-digit password is considerably different from an all-lowercase, all-alphabetic six-digit password. As the strength of your password grows, the likelihood of a successful brute force assault diminishes.
Modify and enable remote access: Consult your IT staff if your company utilizes remote access control. Using an access control tool helps lessen the risk of a brute-force assault.
Multi-factor authentication (MFA) should be required: A potential hacker can only obtain access to your account by making a request to your second factor if your account has MFA. Hackers would be unable to access your account since they would not have access to your mobile device or thumbprint.
Dictionary hacks, a type of brute force attack, rely on the human propensity for using “simple” keywords as passwords, with the most common of these being collated into “cracking dictionaries” by hackers. More complex dictionary assaults contain terms that are specific to you, such as your hometown, child’s name, or pet’s name.
Do the following to assist prevent a dictionary attack:
Never use a dictionary term as a password: If you’ve read it in a book, it shouldn’t be part of your password. If you must use a password instead of an access management solution, consider employing a password management system.
Accounts are locked after a specified number of password errors: It might be inconvenient to be locked out of your account when you forget your password. but the alternative is always account vulnerability. Give yourself five or fewer trials before your application advises you to relax.
If you don’t already have one, consider getting one: Password managers assist you prevent dictionary attacks by creating complex passwords for you.
If you’ve ever been hacked, you know that your previous passwords were almost certainly released onto a dodgy website. Accounts that have never had their passwords reset after a break-in are vulnerable to credential stuffing. In the hopes that the target hasn’t changed their passwords or usernames, hackers will attempt a variety of past usernames and passwords.
Follow these methods to avoid credential stuffing:
Keep a watch on your accounts: You can pay for services that track your online identities. but you can also check to see whether your email address has been related to any recent data breaches using free services.
Keep track of your passwords with a password manager: By employing a strong and consistent password, you may resist several credential stuffing password assaults, including dictionary attacks. You may use a password manager to keep track of them.
Defending Against Password Breach
The simplest method to avoid password assaults is to stop using them in the first place. Inquire with your IT specialist about building a unified security policy that incorporates the following elements:
Multi-Factor Authentication: Using a physical token or a personal computer (such as a smartphone) to authenticate users ensures that passwords aren’t the only way in.
When adopting a smart remote access platform, individual websites are no longer a source of user confidence.
Biometrics: A malevolent actor would have a hard time imitating your fingerprint or face shape.
PtH (Pass-the-Hash) attacks
An attacker doesn’t have to decrypt the hash to get a plain text password in a PtH assault; once obtained, the hash may be passed across for access to lateral systems. By obtaining RDP credentials from a privileged user during an RDP session, a hacker might increase privileges.
Attacks such as Pass-the-Ticket (PtT) and Golden Ticket
These include replicating Kerberos tickets and passing them on for lateral access between systems, similar to PtH. Theft of the krbtgt account on a domain controller, which encrypts ticket-granting tickets, is used in a Golden Ticket attack, which is a version of Pass-the-Ticket (TGT).
UK Cyber Security Ltd is here to help
If you would like to know more, do get in touch as we are happy to answer any questions.
Looking to improve your cybersecurity but not sure where to start? Begin by getting certified in Cyber Essentials, the UK government’s scheme that covers all the technical controls that will provide the protection that you need to help guard against criminal attacks. Or just get in touch by clicking contact us.