What is a Password Attack?
Password attack is an attack in which a non-authorized, third party tries to gain access to your accounts or systems by cracking a user’s password. This kind of attack does not require any malicious code or software to run on the system. But the attacker can use the software which can automate attacks. But in some cases, there can be a malicious code that runs in the background to capture passwords. The popular password cracking tools for both online and offline attacks include Hashcat, John the Ripper, crunch, etc.
Different types of password attacks
The attacker uses a list of common words called a dictionary in this attack. This attack generally takes advantage of the fact that people usually prefer to keep their passwords short and common in order to remember it. As the usernames, generally easy to determine as they are based upon the actual names of people. The attacker takes advantage of this fact and uses it to crack the passwords. There are lots of dictionaries available over the internet like “Rockyou.txt”. Rockyou.txt contains 14,341,564 unique passwords, used in 32,603,388 accounts as of 2019.
In this attack, the attacker tries the combination of every password that is likely to be the correct one. The attacker doesn’t scan and exploit any vulnerability in the system or application. Basically, the attacker tries out all the permutations and combinations of passwords of a victim. He does this in a hope that out of all the possible combinations, he could crack the password. This basically is a trial and error method. In some cases, the attacker might know the username but has a large list of passwords.
Traffic Sniffing attack
This attack usually occurs in LAN(Local Area Network). The attacker can perform an ARP Poisoning attack to become the man in the middle between your device and the internet. After the attacker becomes a man in the middle, he can monitor your network traffic. The traffic is encrypted in most cases. But if the traffic is not encrypted, the attacker can view sensitive information between your device and the internet. The sensitive information may include credit card information, banking details, usernames, passwords, etc. In this way, the attacker can sniff your password.
In this attack, the attacker runs a malicious code that captures the keystrokes of the victim’s computer. This allows the attacker not only to capture the usernames and passwords but also the specifics of the application they are using. Some of the malicious software is automated in such a way that it can report back the captured usernames and passwords to the SMTP server. An SMTP server is the mailing server. The attacker designs malicious software in such a way that HTML forms are recognized. So, both the GET and POST requests can be recognized by him.
Social Engineering attack
Various social engineering attacks like phishing, spear-phishing, etc come under this category of attack. The attacker sends fake login pages of web applications we trust. As soon as the credentials are entered by the victim, the attacker is notified of it. This kind of attack is the most dangerous one. No matter how strong a password the victim sets, it can be cracked by this attack easily. Links are provided via mail and messaging which directs us to fake websites.
Another form of attack is Vishing. In this attack, the attacker impersonates as help desk of the specific application, fooling the victim to give his sensitive information like usernames and passwords via phone calls.
How to defend against password attacks?
The best way to protect against password cracking is to keep the password as strong as possible. Keep the password as complex as possible. This includes that your password should contain capital letters, numbers, signs, etc. Plus, refrain from using the common phrases for the passwords. Also, don’t include any personal phrases in your password. If you include certain personal phrases, brute-forcing and dictionary attacks can certainly crack your passwords.
Secondly, you can implement the two-factor authentication provided by the application. Most of the applications these days have this facility in them. This disables the attacker from logging into your device or account even if he cracked its password.