A Guide To Common Password Attacks And How To Protect Yourself

Tuesday, September 26, 2017

A Guide To Common Password Attacks And How To Protect Yourself


 
Passwords may not be the most foolproof security measure in the world but we are reliant on them for protecting our data, unfortunately. Knowing common password cracking techniques is an important step in the right direction to ensure your accounts remain secure. There are many forms of attacks that may lead to your password being stolen but knowing what they are is the first step to safety.  



Automated Software Attack

Password cracking software is easily available on the dark web, allowing even the most amateur hacker to try their luck. This automated software uses computing to systematically check password combinations until the correct password is identified. 

The most basic attack is known as a dictionary attackThis is where a computer program runs a file with every dictionary word against the password until it finds a match. This would typically be the first strategy used by a hacker as it requires the least computational power. 

A step up from the dictionary is the hybrid attack. These attacks target users who try to trick dictionary attack by replacing letters in their passwords with numbers and characters, such as “p@$$w0rd123”. 

A hybrid attack uses a combination of dictionary words with numbers preceding and following them, as well as replacing individual letters. 

So simply upgrading your dictionary password with digits won’t do much good against a hybrid attack. 

Finally, the brute force attack is the most effective but also a resource-consuming one. Brute force works through every possible alpha-numeric combination so no password can escape it, not even one from a password generator. However, it is true that the more characters there are in your password, the longer it will take to crack. 

Phishing

Very different from automated software attacks, phishing is all about manipulation. A portmanteau of phone and fishing (as in password fishing), this attack is older than the Internet itself and was originally conducted via a phone call. 

Phishing is all about getting the victim to reveal their password voluntarily. To achieve that, attackers typically send emails impersonating a legitimate institution, such as your bank or the government. Using a sense of urgency, hackers try to lure you into inserting your sensitive information (passwords or credit card information) into a fake website they set up for this purpose. Always check your emails for signs of whether they’re legitimate. Spelling errors and different email addresses are usually a giveaway but phishing can be quite sophisticated nowadays. Usually, a legitimate company won’t ask for your details straight away, and if it feels dodgy, it usually is, so always proceed with caution and be aware when clicking links in emails.  


Man-In-The-Middle Attack

Did you know that public Wi-Fi networks are a popular avenue of password theft? Hotspots in cafes, airports, and hotels are often unencrypted, allowing anyone to spy on your browsing information through an easy-to-access packet sniffing program. 

The hacker intercepts the traffic between your device and the server, hence the telling name “man-in-the-middle”. This attack reveals to them everything you do online, including messages you send, the pages you visit, and passwords you input. A general word of advice is that if it contains sensitive information such as bank details, don’t use a public Wi-Fi network to browse it.  


Counterfeit Apps

There are a plethora of fake apps on the market that are spiked with malicious software. The malware you might find in these apps includes key loggers, which take a record of everything you type, or screen scrapers which take screenshots of the login process. 

Fake apps tend to work just like legitimate apps and can even get a pretty good review score. What unsuspecting customers don’t know is that there is a spying program running in the background and collecting their login credentials. Always read reviews and be aware of counterfeit apps. Use ones you know and trust and if you’re suspicious, do your research first.  

So, these are some of the main ways that you can fall victim to data and password theft, but there are measures that you can take to make it less likely to happen.  


Use a Password Generator

The first step to securing your accounts is always to pick a strong password. A random string of letters and digits will withstand dictionary and hybrid attacks — the most common automated software attacks there are. And if it’s long enough, it will even defend you from a brute force attack. 

Coming with those long, complicated passwords can be a pain. Luckily, there are free password generators online that can come up with strong passwords for you. 


Never use the same password twice

There’s no point setting a strong password if you’re using the same one for all your data. You might as well hand your login credentials directly to the hackers. 

Data breaches are incredibly common. Big sites suffer from frequent hacker attacks, including Adobe, Tumblr, LinkedIn, and Facebook. Once login credentials leak, they are often sold on the black market to the highest bidder. Criminals then try the email and password combination on as many sites as they can think of. 

Curious if your accounts had been affected in a data breach before? Have I Been Pwned? is a handy website that lets you check if your email was involved in a data leak (spoiler alert: it almost certainly has). 


Download a Password Manager

There’s no need to remember dozens and dozens of unique passwords. A password manager is a program that will store passwords for you securely and all in one place. 

LastPass, KeePass, and 1password are some of the most popular tools on the market. LastPass and KeePass have free plans so you can test out this solution for yourself. 


Use a VPN when connected to public Wi-Fi

Man-in-the-middle attacks make public Wi-Fi incredibly dangerous for your personal data. But sometimes making use of open hotspots is a necessity. You can protect yourself with a VPN downloaded onto your device. VPN, or virtual private network, changes your real IP address and encrypts your Internet traffic. Unauthorized parties can still tune into your browsing session but all they will see is unintelligible code. 


Turn on Two-Factor Authentication

No matter how much effort you put into setting strong passwords and storing them properly, they’re never fully safe. That’s why it’s a good idea to add an extra layer of security to your most important accounts. Two-factor authentication is a combination of something you know (your password) and something you have (your phone or security key), so it makes account hacking extra hard. 

The most secure options for two-factor authentication are using an authentication app on your phone or a physical security key. Text messages are generally considered less secure as they can be intercepted by hackers. 

 To summarise, the vast number of different password stealing techniques might be daunting. Fortunately, there are many steps you can take to protect yourself. Hackers tend to target the easiest victims so even simple cyber security protections go a long way in keeping you safe. Be vigilant, be aware and use strong passwords.