Most Common Password Attacks and How to Prevent Them
Do you think it takes an expert to crack your passwords? Well, here’s some bad news. The most common password cracking tools are easily accessible on the dark web. Pretty much anyone with average computer skills and the determination to do harm can launch an attack.
If you don’t want to become an easy target, let’s learn about the dangers and prepare your accounts for better protection. Developing a solid cybersecurity strategy that relies on healthy password practices should be your top priority.
To help you prevent potential security incidents, we prepared an overview of the most common password cracking strategies you should keep in mind.
Common password cracking attacks
1. Dictionary attack
This is the easiest password cracking technique and it tends to bring good results so hackers would typically attempt this attack first.
A dictionary attack is as straightforward as it sounds. Hackers usually use a file with countless words and phrases found in the dictionary. A computer program then runs through all the words until it finds a match. Millions of words can be processed in a matter of hours this way.
Creating a string of random words is a common password creation strategy. Unfortunately, it won’t protect you from the dictionary attack. All it can do is merely increase the time it takes to crack your password.
2. Hybrid attack
Some Internet users think they’re being smart by replacing letters in their passwords with numbers and characters, such as “p@$$w0rd123”. Sadly, a hybrid attack looks right through this sneaky idea.
A hybrid attack uses a combination of dictionary words with numbers preceding and following them, as well as replacing individual letters. Passwords that tricked the dictionary attack by adding a few digits are likely to be exposed in this attack.
3. Rainbow table attack
Most modern systems store passwords in a hash, which is a computer-generated numerical representation of letters, digits, and special characters. In theory, if a hacker gains access to a file with hashed passwords, he or she won’t be able to read them.
Unfortunately, hashes can be cracked. Hackers use a table for reversing the hash functions, called a rainbow table, to decode users’ passwords.
4. Brute force attack
As the name suggests, the brute force attack is not about being clever or subtle. The effectiveness and speed of this attack depends largely on the computational horsepower of a hacker, which makes it less common among amateurs.
Brute force works through every possible alpha-numeric combination so no password is safe . It does, however, require a lot of time and resources. Therefore, the more characters you have in your password, the longer it will take to crack it through brute force.
5. Man-in-the-middle attack
Password cracking software isn’t the only way for hackers to get your passwords. A common and relatively easy way to obtain a large amount of sensitive data is by targeting users on public Wi-Fi networks. Hotspots in cafes or hotels are often unencrypted, letting anyone on the same network spy on your browsing information.
The name “man-in-the-middle” comes from the fact that a hacker is intercepting the traffic between your device and the server. Thanks to this sneaky move, the attacker can view every page you visit, message you send, and login credentials you input. If you online shop while connected to an unreliable Wi-Fi, your credit card details can be also stolen that way.
Phishing is an attack where the hacker sends you an email posing as a legitimate institution to lure you into providing your sensitive information. The email usually contains a link that directs you to a page identical to your online banking or another website you use. When unsuspecting victims type in their login credentials, the information goes straight to the hackers.
An example of a phishing attack would be a message containing a sense of urgency, such as “Your credit card has been blocked”, or offers that sound too good to be true, like winning a contest you never entered. This type of messaging can prompt the victim to act fast and ignore red flags.
7. Hidden malware
Planting a virus on your devices is another way to get your login information. Hackers spike fake software with keyloggers that take a record of everything you type or screen scrapers that take screenshots of the login process.
Malicious software is often smuggled onto your device in counterfeit apps. It could be anything from a mobile game to a fitness app. Those fake apps often work just fine and raise no suspicion, but they are packed with nasty surprises that can wreak havoc on your device.
How to protect yourself from password theft
If this is the first time you see all these techniques listed together, you might feel overwhelmed. How can you possibly protect yourself when attackers seem to be waiting for you at every corner?
While you can never be completely safe from cyberattacks, protecting your accounts is less not as difficult as you might imagine. The simple advice below goes a long way when it comes to digital security. Read them in detail and try implementing them into your cybersecureity framework.
1. Never recycle passwords
Using the same password for all your accounts is the number one mistake when it comes to password security. If hackers get hold of your password from cracking one account, they can end up with a universal key to your privacy.
Data breaches are extremely common and they specifically target user login credentials. Leaked email and password combinations are then sold on the dark web for as little as a few dollars. The entire password trading model is based on the assumption that they can be used for several accounts. All too often, that assumption is correct. Therefore, make sure to create a unique password for each of your accounts and change them every 60 to 90 days to prevent further risks.
2. Use a password generator
The strongest password is one that can only be cracked with brute force, the most advanced and time-consuming type of attack. That means you have to say goodbye to dictionary words and embrace completely random passwords. There is an obvious problem, though. People aren’t good at coming up with randomized strings of letters and characters.
Luckily, we can outsource this task to technology. You can easily find free password generators online and use them to better protect your accounts. Also, bear these suggestions in mind when creating a new password:
- Every password should be at least ten characters long,
- It should contain a combination of upper and lower case characters,
- It should never contain common, dictionary words,
- It should never contain any personal information like names, birth dates, addresses, etc.
3. Download a password manager
A password manager is a program that keeps all your passwords and other sensitive information stored safely. You only need to memorize one master key to unlock all your login credentials. Since forgetting the master key puts you in a lot of trouble with account recovery, it’s recommended to make this one memorable.
Higher-quality password managers have a generating option, meaning that they can help you with creating passwords as well. Also, check if the password manager you set your mind on has other security features like an alert system or recovery options.
4. Enable two-factor authentication
No matter how strong your password is, it can still be stolen in phishing or man-in-the-middle attacks. That’s why you need to add an extra layer of security in the form of two-factor authentication. Two-factor authentication is a combination of something you know (your password) and something you have (your phone, security key, etc).
However, not all two-factor authentication methods are equally safe. Choosing SMS as the second authentication step is considered to be the weakest strategy. Hackers have proved in the past that they can trick phone companies to redirect the victim’s texts to a different SIM card.
Using an authenticator app on your phone or a physical security key is a recommended option. Those methods can protect you against social engineering attacks, making two-factor authentication extra powerful.
5. Turn on a VPN when using public Wi-Fi
As mentioned above, public Wi-Fi is a treacherous place for your data. But we have all been in a situation when you simply have to use an open hotspot. Thus, whenever you have to use free WiFi, make sure to turn on a VPN during the entire browsing session.
A VPN encrypts your internet traffic. Even if you’re connected to an unreliable network, hackers won’t be able to see the stream of data from your device. Your passwords, credit card details, and other data will therefore stay protected.
No matter how flawed, passwords are still the most common security measure we have. Unless we find a more secure method to protect our privacy, we need to learn to maximize their effectiveness.
Hackers are constantly learning new tricks to bypass cybersecurity protections. That’s why it’s important to regularly educate yourself on the newest threats and always upgrade your cybersecurity to the highest level.