Passwords are one of the obvious things in the area of security. It isn’t only being used in authentication but also in Cryptography. There are reasons for these as it is very easy to use and cost-effective to implement password-supported security systems than others. One or other way, passwords are always been around in the news for any reason. And studies say that the ubiquity and simple nature of passwords make it most attractive for hackers to steal your password. So, in this article, our main focus is to show how hackers can steal your passwords from nowhere. And also, we are going to list some of the most common attacks like Credential Stuffing, Phishing, Password Spraying, Keylogging, and Packet interception hackers use to steal your password.
Attacks are broadly classified into two major classes. (1) A targeted approach, where the attack would launch the attack against the specific target. And on the other hand, (2) the Shoot gun approach, In which attacks are randomly conducted on a wide range of random targets. Here, we are not just going to brief how hackers can steal your passwords, But also give effective countermeasures so you can protect your passwords from being compromised, or at least you can reduce the like hood of a successful attack.
1. Credential Stuffing:
Before directly landing into the explanation and knowing what the hell is this. We would like to remind you, somewhere you heard or read the news like “1 million Twitter user accounts are compromised, plenty of LinkedIn accounts are hacked, 10 thousand credit card information is made available on public site or put on sale.
What Is Credential Stuffing?
The name is comprised of two words, ‘Credential’ and ‘Stuffing.’ Let’s look at each intern. ‘Credential’ is nothing more than a claim and proof. Your username is the claim, and your password is the proof. Now, let’s look at the term ‘Stuffing.’ Stuffing implies testing in stolen things mass. If we put up all to gather, it becomes ”mass stolen username and password testing’. From where does all the data come for testing? Mostly from the dark web and websites which store large credential databases.
How Does Credential Stuffing Work?
In this type of attack, hackers exploit the vulnerabilities found on the websites to dump the database, steal the account information, and use them for their use or sell it on the dark web. Millions of accounts are being hacked every day by testing all possible combinations of usernames and passwords obtained from the stolen database. As it’s a tent to see many users use the same password across different sites. This attack’s severity is considered very high as the attacker can compromise millions of accounts just in one stroke.
Credential Stuffing Countermeasures:
Now, How can you protect yourselves as a single user from such attacks? To answer this, it’s quite difficult for individual users to keep their accounts safe from this attack. It’s out of their control. Users can keep their other accounts safe by setting up random unique passwords in their other accounts.
Most of us receive a lot of spam emails every day. Sometimes even, it is hard to determine the gentle emails from spam. If you open your spam box, you may see emails like you won a 1 billion dollar lottery, bought a car at an exciting price, and many property advertisements. To tell you the truth, all spams are not phishing emails. Confused? Let us tell you the main difference between spam and phish emails. Both spam and phish are related to social engineering. In general, regular, reputed advertisements and unwanted junk emails sent to many recipients to sell their products or do marketing are mostly considered spam. But, in the case of phish, phishing is considered a form of a cyber attack. Cybercriminals create phish emails to deceive people into stealing confidential information like passwords, credit card information, and personal information. Let’s keep spamming aside and carry out our journey with phishing in this article.
What Is Phishing, And How Does It Work?
This is the most favorite attack type of hackers. Because this attack doesn’t demand high technical knowledge, here attackers can crack the password, just tricking the user into revealing the credentials. To tell how it works, an attacker sends spoofed emails that look like they originated from a genuine source composed of a malicious website or attachment to a large number of random people. When the user sees the email with a fake web link, which says to reset their password, he/she visits the link and supplies the credentials by submitting his/her username and password on the cloned website believing the site is genuine. This gives the cybercriminal to receive the supplied data. As the attack targets the bulk of users, the severity has been set too high for this attack.
There are many technological solutions in the market to prevent phishing attacks. However, you need to increase your awareness against cyber attacks and follow the cybersecurity best practices for individual users like you. We will introduce you to some techniques that will always take the edge over any phishing attacks.
- Keep Backups up to date.
- MFA — Multi-Factor Authentication
- Keep change credentials over time
- Adhere password policy
- Always update all your computers, tablets, and smartphones.
- Use antivirus and encryptions.
- Follow all email security guidelines.
- Use VPN Whenever you need.
3. Password Spraying:
What Is Password Spraying, And How Does It Work?
Password Spraying is a technique to attempt a login using a commonly used password. You may think, what made it different from than Brute force attack? This attack is similar to Brute force in design, but it’s quite the opposite to that.
In this attack, the attacker creates a wordlist made up of the most common passwords. Spray the wordlist across the bulk accounts, unlike brute force attack, which targets a single user. This attack is proved one of the most effective attacks against passwords, as many users still use simple and default passwords even today. This attack’s severity is considered very high as the attacker can compromise millions of accounts just in one stroke.
How To Prevent From Password Spraying Attack?
Prevention of this attack is quite simple. Make sure your password doesn’t appear anywhere in the first 1000 commonly used passwords on the internet, and create a unique password that would be very difficult to guess. We urge you to use password generators to generate a password that complies with standard password practices.
- Use unique passwords.
- Use complex passwords with special characters and alphanumeric combinations.
- Password Length should be more than ten char.
- Change passwords periodically.
- Enable two-factor authentication.
- Use password generators.
4. Brute Force:
Somehow, let’s imagine if you got into a position where all your guesses didn’t work. You are only left with trying all possible combinations of letters. This is what we call a Brute Force attack.
What Is Brute Force Attack And How Does It Work?
This is the most basic form of password guessing attack. The concept of this attack is to figure out the actual password by attempting every possible combination of the characters — the goal of this attack is to find out the correct password without infecting the target.
Theoretically, it sounds elementary, but who will try millions and millions of combinations by hand? This is not possible for humans to sit and try all possible combinations. But, there are multiple solutions. There are plenty of tools available to automate this process. As we said earlier, theoretically, this attack may sound very simple. But, pragmatically, it is not that simple. Significant challenges attacked may face are the time and resources required to process the massive list of passwords. The time and resources needed for a successful attack will increase exponentially with the increasing size of the password.
Dictionary attack: This is widely known as a subset of Brute force attack. A list of dictionary words is used as input rather than all possible combinations to carry out the Brute force attack.
Measures To Counter Brute Force Attack:
Countermeasures really depend on where you would apply the attack. Hackers can use this attack to crack the account password and match the document encrypted password. The difficulty lies where the attacker applies this technique.
This attack suits the best to match the document and encrypted key using any automated tools. However, it’s tough to crack the online account passwords as administrators have many options to counter it by setting the time limitations between the two subsequent attempts. It is possible to set to failed attempts limit to a small number, say 5 or 10.
5. Key Logging:
What Are Key Loggers?
Did you know you could be compromised by your keyboards, webcams, microphones, and quite anything that you use to interact with your smart devices? All this could be possible by logging the data of victims by leveraging the service of loggers. Loggers are too big to describe in this small blog post. Let’s limit the focus only to the Key loggers. Welcome to the work of Key loggers, a subset of spyware that is designed to capture, store and share the user’s keystrokes with others by any means.
How do Key Loggers Work?
Key loggers work like a surveillance camera. It captures each key that you enter, like a person sitting behind you and watching all your activities. New loggers capture screenshots, web camera pictures, and audio from the microphone and send all the captured data to a remotely sitting operator or just store it in its memory.
How To Check The Key Loggers On Your Device?
Hardware modules are easy to spot as they are visible to your eyes, just you need to recognize them. On the other hand, it’s tricky to detect the software key loggers. The most common sign to detect are:
- You may experience your mouse and keyboards behaving out of your control. As like your mouse pointer disappeared at one place and went to a different point without your actions. Similarly, your keyboard cursor moves intermittently without your action.
- You may feel that your computer becomes less responsive or slow in running programs and loading websites. Some key loggers would kill your system performance by eating up more resources.
- Unexpected errors, program interruptions, sometime you may see your system reboot on its own.
- You might see your phone and tabs get heated up than normal, and the battery gets dried up quicker than usual.
How Can You Save Yourselves From Key Loggers?
Here are the most common measures to counter the key loggers:
- Awareness is the key. You should gain some knowledge about the key loggers and how they look. What are they up to?
- Use a good antivirus program and run scans from time to time.
- Don’t download anything from untrusted websites; don’t open untrusted emails and attachments.
- Keep your system and application up to date.
It’s always recommended to have a good antivirus application which
6. Traffic Interception:
Let’s imagine you don’t have or may have a weak password set on your home WiFi router. The insecure network is a gift for hackers. Hackers can connect to your router, and that’s how they can enter your home network. This is something like that they are in the house. They can grab whatever they want. Now you have gotten my point. Yes, when an attacker can steal your things sitting remotely. What can they not do while having direct access to your whole network? They can connect your smartphones and TVs. Computers and file servers if you have and see and download any data you have.
How are Attackers Steal Passwords Using Traffic Interception Techniques?
When an attacker has access to your network, he can sit in between your computer and WiFi router and watch all the network activities performed by you by intercepting all network traffic using any basic packet sniffer programs. This way, he can capture quite anything you enter as input on the web, that anything could be your usernames, passwords, card numbers, PIN, address, phone number, and everything.
How Can You Protect Yourselves Getting Sniffed By Others?
Encryption and awareness are the best ways to counter interception attacks. Don’t leave your home network insecure. Try encrypting your all smart devices with a strong key as much as you can. Stick with the standard password policy. Follow all best practices.
7. Local Discovery:
This is an old-school method of discovering the password. Let’s assume you have noted down all your passwords somewhere on a paper or a dairy book to avoid getting forgotten. Imagine what would happen if someone gets access to your dairy book, which has all your passwords. This attack may create a high impact because once your dairy has fallen into the wrong hands, you lose everything. The severity of this attack could be low as it requires physical access to the victim or his resources. But, it can create a high impact in some cases.
How Attackers Supply Local Discovery Method?
Here are some common local discovery methods listed:
- Stealing a document, a piece of paper, or a book that has a password written on it.
- Guessing victims’ password based on his nature: favorite movie, actor, words, number, dates, phone number, car number, family members, and pets name.
- Some of the common social engineering techniques: tricking them verbally to reveal his password, impersonating one of his friends or a known person to reveal, search information from the dust bins.
How Can You Protect Victimizing Yourself From Local Discovery Attacks?
Awareness is your best friend of you. Here are some of the things you should be aware of to stop this type of attack to a certain level.
- Avoid writing any confidential information on any type of paper resources.
- Follow standard password policies.
- Never use common dictionary words, pet names, and favorite names and numbers, which are easy to guess in your passwords.
- Be aware of strangers while sharing any confidential information and social engineering attacks.
we have covered some of the most common attacks like Credential Stuffing, Phishing, Password Spraying, Keylogging, and Packet interception that hackers use to steal your password. The actual list doesn’t end with this list. It’s the prime task of cybercriminals to compromise you by any means. With developing technologies, criminals are developing attack techniques. To be secure from all such cyber attacks, you should know how hackers can steal your passwords and develop some defensive techniques against them