Password attacks are a prevalent type of cyber attack that can result in the compromise of personal and corporate data. Essentially, a password attack occurs when a hacker attempts to gain unauthorized access to an individual or organization’s account by stealing their password. In fact, a staggering 81% of data breaches that occurred in 2020 were a result of compromised login credentials.
The reason why passwords are vulnerable to attack is that they are limited in terms of the characters that can be used. Passwords that consist of only letters and numbers can be easily guessed or cracked by sophisticated password-cracking tools. Moreover, many users tend to use easily guessable passwords such as “123456” or “password”, making their accounts even more vulnerable to attack.
This guide aims to provide a comprehensive understanding of various types of password attacks, including real examples for each types:
Brute Force Attacks
Brute force attack is a type of password attack that uses automated software to try every possible combination of characters until it finds the correct password. This type of attack is usually successful when the password is weak, short, or easily guessable.
Here are some ways in which a brute force attack can be executed:
- Trying all possible combinations of characters: In this method, the attacker tries all possible combinations of characters until the correct password is found. For example, if the password is a four-letter word, there are 456,976 possible combinations to try. If the password is longer, the number of possible combinations increases exponentially.
- Trying common password combinations: Many brute force attacks use a pre-defined list of common passwords or dictionary words as a starting point. The attacker then combines these words with numbers or special characters to create more password possibilities. This method is often referred to as a dictionary attack.
- Trying variations of personal information: An attacker may try variations of personal information, such as the victim’s name, birthdate, or pet’s name, in an attempt to guess the password. This method is often used in targeted attacks.
In 2016, a group of cybercriminals executed a brute force attack on the email server of the Democratic National Committee. The hackers used a software tool that systematically tried every possible combination of characters until they were able to guess the password that granted them access to the server. This allowed them to steal confidential information and interfere with the US presidential election.
Password Spraying attacks
Password spraying attack is a type of brute force attack that involves trying a small number of commonly used passwords across a large number of user accounts. Unlike traditional brute force attacks, which attempt to crack a single user’s password by trying a large number of possible combinations, password spraying attacks involve using a limited set of passwords and trying them against many different user accounts.
Password spraying attacks can be executed in several ways, including:
- Targeting a specific organization: The attacker may target a specific organization and attempt to gain access to multiple accounts within that organization using the same set of passwords.
- Targeting multiple organizations: The attacker may also target multiple organizations, using the same set of passwords across all accounts, in the hope that some accounts will be compromised.
- Using a botnet: Attackers may use a botnet to distribute the attack across multiple devices, making it harder to detect and block.
A cybercriminal in 2019 used a password spraying attack to gain unauthorized access to a Texas hospital’s patient records. The attacker used a list of commonly used passwords to target multiple accounts, trying each password in turn until they gained access to the system. This allowed them to view confidential patient information and compromise the hospital’s data security.
Phishing attack is a type of social engineering attack where an attacker tries to trick a victim into providing their login credentials or other sensitive information by posing as a trustworthy entity, such as a bank or a social media site.
Here’s how a phishing attack can be carried out:
- The attacker sends an email, text message, or social media message that appears to be from a legitimate source, such as a bank or social media site.
- The message typically contains a link to a fake website that looks identical to the real one.
- When the victim enters their login credentials on the fake website, the attacker captures the information and can use it to gain access to the victim’s account.
During the COVID-19 pandemic, a phishing attack was launched against the World Health Organization (WHO). The attackers created a convincing fake login page for the WHO’s email system and sent phishing emails to employees, hoping to trick them into entering their login credentials. The attack was successful in gaining access to some employee accounts, which allowed the attackers to steal sensitive information and spread disinformation.
Dictionary attack is a type of password attack that uses a pre-defined list of words, commonly used passwords, or character combinations to guess the password. The attacker uses an automated software to try these words or combinations until they find the correct password.
Some ways a attacker can execute a dictionary attack are:
- Using common passwords: Attackers often use a list of common passwords, such as “123456” or “password,” as a starting point for a dictionary attack. They can also use lists of previously breached passwords, which are widely available on the dark web.
- Using dictionary words: Attackers can also use a pre-defined list of dictionary words as a starting point for a dictionary attack. These lists may include common words, names, or phrases.
- Adding numbers and symbols: To increase their chances of success, attackers can combine dictionary words with numbers, symbols, or variations of capitalization to create more password possibilities.
In 2015, hackers used a dictionary attack to gain access to the email system of the UK Parliament. The attackers used a list of commonly used passwords and tried them systematically until they found a match. This allowed them to access sensitive information and emails, causing significant damage to the security and reputation of the UK government.
Keylogger attacks is a type of password attack that involves using software to record every keystroke a user makes on their computer or mobile device. Keyloggers can be installed on a victim’s device in several ways, including through malicious email attachments, software downloads, or even physical access to the device. Once installed, the keylogger can record every keystroke the victim makes, including their passwords, credit card numbers, and other sensitive information.
Some ways in which keylogger attacks can be executed are:
- Malicious downloads: The attacker can trick the user into downloading a malicious software or application that contains a keylogger.
- Phishing attacks: The attacker can use phishing attacks to trick the user into clicking on a link that installs a keylogger on their device.
- Physical access: The attacker can physically access the victim’s device and install a keylogger without the victim’s knowledge.
Cybercriminals used a keylogger attack to steal over $1 million from a Russian bank in 2018. The attackers installed malware on a bank employee’s computer, which recorded all their keystrokes and allowed the attackers to gain access to the bank’s systems. This enabled them to transfer funds to their own accounts without detection.
Rainbow Table Attacks
Rainbow table attacks is a type of password attack that involves using precomputed tables of password hashes to quickly crack passwords. Rainbow tables are essentially precomputed lists of hash values for a large number of possible passwords. These tables can be generated by attackers or obtained from publicly available sources. When a rainbow table is used in an attack, the attacker compares the hash values of stolen password data to the hash values in the table. If a match is found, the password corresponding to the hash value in the table is the stolen password.
Rainbow Table Attacks can be implemeted by some ways, including:
- Generating rainbow tables: The attacker can generate rainbow tables themselves using software specifically designed for this purpose. This can be a time-consuming and resource-intensive process, but it can be effective against poorly protected passwords.
- Obtaining pre-generated rainbow tables: The attacker can also obtain pre-generated rainbow tables from publicly available sources or dark web marketplaces.
A group of hackers in 2012 a used a rainbow table attack to steal 6.5 million LinkedIn passwords. The attackers used a pre-computed table of hashes to quickly crack the passwords and gain access to LinkedIn accounts. This breach was a significant reminder of the importance of using strong passwords and the risk of storing passwords in an unencrypted format.
Password attacks are a common method used by hackers to gain unauthorized access to accounts and sensitive information. The various types of password attacks, including brute force, password spraying, phishing, dictionary, keylogger and rainbow table attacks, have different characteristics and can be executed using different methods. Each type of attack has the potential to compromise weak passwords and cause significant damage to individuals and organizations.