Password Cracking attacks, methods, prevention

In this article, we will talk about Password cracking attacks, their methods, and prevention. Password cracking attacks have become most common nowadays. These attacks are performed by cybercriminals or hackers to gain access to a user’s account. Once, the cybercriminal succeeds in signing in to a user’s account, the user’s account is compromised. Now, the attacker can get all the required information from the user’s account.

Such attacks are very dangerous because attackers can also perform these attacks to gain the usernames and passwords of the users’ banking accounts.

Password Cracking attacks and their methods

When an attacker attempts to guess or discover the password of a person, it is called a password cracking attack. Such types of attacks are very dangerous because they can result in a financial loss (if an attacker is successful in cracking the banking credentials). There are many different types of password-cracking attacks. Here, we will discuss the methods that hackers or cybercriminals use to crack users’ passwords.

1. Brute Force attack
2. Dictionary attack
3. Rainbow Table attack
4. Password Spraying
5. Phishing
6. Keylogger attack
7. Malware attack
8. Credential Stuffing
9. Shoulder Surfing

Let’s start.

1] Brute Force attack

A Brute Force attack is a guessing game in which an attacker tries to guess the users’ passwords by using the trial and error method. It is one of the oldest password cracking attacks but is still in use by cybercriminals. This attack is performed by using software that tries all possible combinations to find out the correct password of a computer, a network server, or a user’s account.

2] Dictionary attack

A Dictionary attack is a type of Brute Force attack in which an attacker tries to crack a user’s password by using all the words found in a dictionary. Some users use a single word to create their passwords. Dictionary attacks can crack the passwords of such users even if they use the most difficult word found in a dictionary.

3] Rainbow Table attack

Rainbow Table attack is one more method used by hackers to crack someone’s password. This method of password cracking works on hashes. Applications do not store passwords in the form of plain text. Instead, they store passwords in the form of hashes. In computing, a hash is a string having a fixed number of digits.

Applications store passwords in the form of hashes. When a user signs in by entering his password, it is converted into a hash value and compared to the stored hash value. The sign-in attempt succeeds if both hash values match.

A Rainbow Table is a precomputed table that contains a large number of hash values of passwords along with their corresponding plain text characters. Attackers use these hash values to crack the users’ passwords.

4] Password Spraying

Password Spraying is a type of Brute Force attack in which the attacker uses the same passwords on many different accounts. In other words, the password remains constant and the username varies in this attack. For example, a password, say admin@123 can be used on a large number of accounts with the Password Spraying method of password cracking. The accounts with the default password are usually compromised by this type of attack.

Read: How to find Breached Passwords with PowerShell

5] Phishing

Phishing is the most common method that malicious actors use to steal users’ passwords and other sensitive or confidential information. Hackers can also use Phishing to install malware on the users’ systems and then they control their system remotely.

Emails are most commonly used in Phishing attacks. However, there are also some other methods that hackers can use in a Phishing attack. In this attack, a user receives an email. This email looks like an authentic email, say an email message from Gmail. The email contains a message that forces a user to take immediate action, like:

Your account was logged in recently at ABC location. If this was not you, reset your password by clicking on this link.

When a user clicks on the link, he lands on the page that mimics Gmail, where he has to fill in both old and new passwords. When he enters his password, the malicious actor captures this information. Hackers also use this method to steal users’ banking passwords, credit card passwords, debit card passwords, etc.

6] Keylogger attack

Keylogger software that keeps a record of all keystrokes. Password cracking becomes easy after installing the Keylogger software on the host or targeted computer. A Keylogger can also send the information of keystrokes to the hacker via a server. Once the hacker gets the log containing all the keystrokes, he can easily crack the users’ passwords. Hackers usually install the Keylogger software on the targeted system via phishing attempts. Keylogger detectors offer some form of protection.

Keyloggers are also available as a piece of hardware. They look like a USB flash drive. A malicious actor can insert this USB flash drive into one of the USB ports of your PC to record all the keystrokes. If you notice it, you can remove it and prevent the attack. But if it is inserted at the back side of your CPU case, it usually remains unnoticed.

7] Malware attack

Hackers install malware on a computer system for different purposes, like harming it, taking control of it, stealing confidential information, etc. Therefore, malware attacks are also malicious attempts to crack users’ passwords. Above, we have discussed Keyloggers that are available as hardware and software. Apart from that, hackers can use several other types of malware to steal passwords.

Malicious screen capture software takes screenshots of the user’s computer screen and sends them to the hacker. Another example of malicious software is a Browser Hijacker.

8] Credential Stuffing

Credential Stuffing is a method of cracking users’ passwords by obtaining the credentials from a data breach. When a data breach occurs, passwords and usernames of millions of users are stolen. These passwords and usernames remain available on the Dark Web. Hackers purchase these credentials from the Dark Web and use them to perform a Credential Stuffing attack.

Some users use the same password on all websites. This attack is a type of Brute Force attack and can lead to hacking of all the accounts of such users. For example, if a user’s account on platform A is hacked and he has used the same password on platform B, a hacker can easily hack his account on platform B once his username is known to the hacker.

9] Shoulder Surfing

It is not always the hackers or cybercriminals who perform password-cracking attacks. A person who is known to you can also steal your password. A Shoulder Surfing attack is a simple password-cracking attack in which a person keeps an eye on your keyboard when you type your password without letting you know. Once you log in to your account on a particular website, that person remembers your credentials and then uses them later to log in to your account on his device.

These are some of the methods that attackers use to attempt password-cracking attacks. Now, let’s see how to prevent these attacks.

Prevention of Password cracking attacks

Here, we will talk about some preventive measures that you should take to avoid becoming a victim of a password-cracking attack.

Always form long and difficult-to-crack passwords. Long passwords are usually difficult to crack. Use all possible combinations to create a password, including upper case letters, lower case letters, special characters, numbers, etc. You can also use free Password Generator software to create a strong password.

Enable Two-factor authentication. It will be best if you enable Two-factor Authentication for all your supported accounts. You can use your mobile number, another email address, or a prompt on your smartphone to allow login to another device.

Never click on a link from an untrusted source. Above, we have seen that hackers target people via phishing attacks and steal their credentials. Therefore, if you avoid clicking links from untrusted sources, you can protect yourself from becoming a victim of a phishing attack.

Keep an eye on the URLs. Always look at the URLs of the websites before entering your credentials. Hackers create phishing websites to steal users’ usernames and passwords. These websites mimic original websites but their domain names differ from authentic ones. You can identify a phishing website and differentiate it from the original website by looking at its URL.

Never use the same passwords. Many users habitually keep the same password for all their accounts. If you also do this, it can put you in trouble because if any one of your accounts is compromised, the risk of being compromised of all your accounts will become high.

Install a good Antivirus. Antivirus protects our systems from viruses and malware. You should install a good antivirus on your system and keep it updated to protect you against the most recent attacks.

I hope this helps.

What is the defense of password cracking?

The defense of password cracking attacks is creating a long and strong password. Include all characters in your passwords, including alphabets (in both lower and upper cases), special characters, numbers, symbols, etc.

Why is it called password cracking?

It is called password cracking because the attacker uses all possible methods to know the correct password so he can sign in to the account of the victim.

Read next: DDoS (Distributed Denial of Service) Attacks and Threats.