The Types of Password Attacks and How to Prevent Them
Initially, going online, communicating with other users, and surfing the web was more of a pastime activity. Gradually, however, it became a crucial part of our everyday lives, and we now use the Internet to perform quite a few very important tasks. As time went by, people started thinking about security, and they were forced to use more and more passwords. The larger the number of passwords, the larger the number of people wanting to get their hands on them, and, we might also add, the larger the number of ways to compromise a password.
There are, indeed, a myriad of means of breaking or stealing a password, and chances are, cybercriminals will continue to try to perfect them. As unfortunate as it sounds, in some cases, there's nothing you can do to stop a hacker from compromising your account.
Password attacks targeting websites
When you create an account at, say, facebook.com, you send Mark Zuckerberg's people your password, and they must store it in some way so that the next time you visit the world's biggest social network, you can log in. There are quite a few dos and don'ts when it comes to storing passwords. Some websites tend to stick to the best practices while others don't. Consequently, sometimes, the bad guys go away empty-handed, and sometimes, they make off with quite a few passwords. Here's how they do it.
Theft of plaintext passwords
Some service providers just take your password and place it, along with your username, in a database. Then, they don't do much to ensure that the database is secured properly. All the hackers need to do is find it and download it. Thankfully, fewer and fewer websites store passwords in plain form nowadays, and while we still see it every now and again, this type of attack is not that common. The next one is, though.
Attacks on password hashes
Before putting a password in a database, the service provider must hash it. Hashing is a cryptographical function that turns a password into a long string of alphanumerical characters. In theory, it's a non-reversible process meaning that once it's hashed, a password can't be turned back to its plain form. In reality, things are a bit different.
There are many different hashing algorithms. Some are trivial to crack, and others aren't. Older, weaker algorithms are vulnerable to the so-called rainbow table attacks which involve a large number of precomputed hashes which the cybercrooks try until they get their hands on the password. Even if the hashing algorithm is strong in theory, its implementation is important if the data is to remain safe.
For website developers and system administrators, fighting attacks on stored passwords means hashing them with a strong algorithm and employing a unique cryptographic salt for every user. That way, even if two users use the same passwords, the hashes will be different, and the hackers will have no way of breaking into the accounts. Naturally, protecting the database containing the hashes is just as important.
When hackers attack websites, the users are out of the equation. All you can do is keep your fingers crossed and hope that vendors have taken the necessary precautions to keep your password safe. When the attack is aimed at you, however, it will be your defenses that will be put to the test.
Password attacks targeting the user
There are many ways of stealing a password from a user. Here are just some of them.
Keyloggers are among the oldest types of malicious programs. Over the years they have evolved, and in addition to recording keystrokes, some of them can now also grab screenshots from the victim's computer and see which pages they visit. This makes harvesting the password and connecting it to the right account easier than ever.
Many people use their browsers for managing passwords because it's much easier than remembering and entering them every single time they want to log in to their accounts. The problem with this is that browsers aren't very good at securely storing login credentials, and there are now programs that can silently decrypt and steal passwords from some of the most popular browsers.
Phishing and social engineering
Phishing attacks tend to be rather effective because they exploit the weakest link – the user. Clever social engineering tactics create a sense of urgency which means that the victim is usually in too much of a hurry to realize that they're giving their login credentials to the wrong website.
At the same time, launching a phishing attack requires next to no investments both in terms of money and time. The end result is that sometimes, criminals don't necessarily need to employ advanced hacking techniques to compromise your password. They just need to trick you into giving it away yourself.
Protecting your password against the cybercrooks
The precautions against password-harvesting attacks should be fairly obvious, but the colossal number of victims goes to show that plenty of users are either underestimating the problem or are unaware of it. Turning on the automatic updates of every single computer program you use is the simplest thing you can do to make sure that you have all the security patches and fixes. Running a reputable anti-malware program also minimizes the chances of getting hit by password-stealing trojans and keyloggers. Meanwhile, treating every email, link, and file with suspicion could fend off phishing attacks, and proper password management will ensure that in case one of your accounts gets compromised, the rest will remain safe.