A Guide To Common Password Attacks And How To Protect Yourself

Tuesday, September 26, 2017

A Guide To Common Password Attacks And How To Protect Yourself

Passwords might not be the most foolproof security measure under the sun, but for now we are reliant on them for protecting our data. Knowing common password cracking techniques is an important step towards securing your accounts more effectively. Read this guide to learn what threats are out there and how to prevent getting your accounts hacked.

Automated Software Attack

Password cracking software is easily available on the dark web, allowing even an amateur hacker to try their luck. This automated software uses computing to systematically check password combinations until the correct password is identified.

The most basic attack is known as a dictionary attack. A computer program runs a file with every dictionary word against the password until it finds a match. This would typically be the first strategy used by a hacker as it requires the least computational power.

A step up from the dictionary is the hybrid attack. This attack targets users who try to trick dictionary attack by replacing letters in their passwords with numbers and characters, such as “p@$$w0rd123”.

A hybrid attack uses a combination of dictionary words with numbers preceding and following them, as well as replacing individual letters.

So simply upgrading your dictionary password with digits won’t do much good against a hybrid attack.

Finally the brute force attack is the most effective but also resource-consuming one. Brute force works through every possible alpha-numeric combination so no password can escape it, not even one from a password generator. However, it is true that the more characters there are in your password, the longer it will take to crack.


Very different from automated software attacks, phishing is all about manipulation. A portmanteau of phone and fishing (as in password fishing), this attack is older than the Internet itself and was originally conducted via a phone call.

Phishing is all about getting the victim to reveal their password voluntarily. To achieve that, attackers typically send emails impersonating a legitimate institution, such as your bank or the government. Using a sense of urgency, hackers try to lure you into inserting your sensitive information (passwords or credit card information) into a fake website they set up for this purpose.

Man-In-The-Middle Attack

Did you know that public Wi-Fi networks are a popular avenue of password theft? Hotspots in cafes, airports, and hotels are often unencrypted, allowing anyone to spy on your browsing information through an easy-to-access packet sniffing program.

The hacker intercepts the traffic between your device and the server, hence the telling name “man-in-the-middle”. This attack reveals to them everything you do online, including messages you send, the pages you visit, and passwords you input.

Counterfeit Apps

There are plenty of fake apps on the market that are spiked with malicious software. The malware you might find in your apps includes keyloggers that take a record of everything you type or screen scrapers which take screenshots of the login process.

Fake apps tend to work just fine and can even get a pretty good review score. But what unsuspecting customers don’t know is that there is a spying program running in the background and collecting their login credentials.

Use a Password Generator

The first step to securing your accounts is always to pick a strong password. A random string of letters and digits will withstand dictionary and hybrid attacks — the most common automated software attacks there are. And if it’s long enough, it will even defend you from a brute force attack.

Coming with those long complicated passwords can be a pain. Luckily, there are free password generators online that can come up with strong passwords for you!

Never use the same password twice

There’s no point setting a strong password if you’re using the same one for all your data. You might as well hand your login credentials directly to the hackers. Why?

Data breaches are incredibly common. Big sites suffer from frequent hacker attacks, including Adobe, Tumblr, LinkedIn, and Facebook. Once login credentials leak, they are often sold on the black market to the highest bidder. Criminals then try the email and password combination on as many sites as they can think of.

Curious if your accounts had been affected in a data breach before? Have I Been Pwned? is a handy website that lets you check if your email was involved in a data leak (spoiler alert: it almost certainly has).

Download a Password Manager

There’s no need to remember dozens and dozens of unique passwords. A password manager is a program that will store passwords for you securely and all in one place.

LastPass, KeePass, and 1password are some of the most popular tools on the market. LastPass and KeePass have free plans so you can test out this solution for yourself.

Use a VPN when connected to public Wi-Fi

Man-in-the-middle attacks make public Wi-Fi incredibly dangerous for your personal data. But sometimes making use of open hotspots is a necessity. You can protect yourself with a VPN downloaded onto your device. VPN, or virtual private network, changes your real IP address and encrypts your Internet traffic. Unauthorized parties can still tune into your browsing session but all they will see is unintelligible code.

Turn on Two-Factor Authentication

No matter how much effort you put into setting strong passwords and storing them properly, they’re never fully safe. That’s why it’s a good idea to add an extra layer of security to your most important accounts. Two-factor authentication is a combination of something you know (your password) and something you have (your phone or security key), so it makes account hacking extra hard.

The most secure options for two-factor authentication are using an authentication app on your phone or a physical security key. Text messages are generally considered less secure as they can be intercepted by hackers.


The number of different password stealing techniques might be daunting. Fortunately, there are many steps you can take to protect yourself. Hackers tend to target the easiest victims so even simple cyber security protections go a long way.