3 Main Types of Attacks on Passwords
In previous posts we have gone through the six step method to create a secure password and five ways to keep your complex password safe, so now we want to explain the three main types of attacks on passwords.
As the name suggests these attacks use the dictionary to generate random passwords to try and gain access into an application or system. These attacks will also use lists of previously stolen passwords. As stated in another blog, powerful computers can generate and test billions of passwords very quickly. This is why it is extremely important not to use full words in your password or reuse a password that you know has been hacked before.
Brute Force Attack
These attacks are very similar to dictionary attacks with the key difference being that it does not use words from the dictionary or a list, in generating random passwords. Instead a brute force attack will generate passwords using random characters. With so many possible combinations of random characters and symbols it would take an huge amount of time for these sorts of attacks to crack a complex passphrase. For example a password like [email protected]!n7h3r3 would take a standard computer 400 years to crack while a password like [email protected] would take only 2 hours to crack.
Have you ever received an email from someone claiming to know you from a legitimate company but you weren’t quite sure why they were sending you an invoice for something you never bought? This is just one example of a phishing attack. These attacks attempt to obtain your sensitive information (username, passwords, credit card details) by disguising themselves as a trustworthy or legitimate entity. Often these emails will contain links to webpages or attachments that the sender wants you to access. Once you click that link or open the attachment one of two things could happen. Commonly it could execute some code on your computer that downloads malware in the background. Now the hacker could have backdoor access to your computer, all your sensitive information, and be logging your keystrokes to get your password. They also could lead you to a page with fields to enter in your login details for what appears to be a legitimate website. Once you enter your details the hacker can now use them to access your account.
It is important that you assess any emails with attachments or links before proceeding. Look for the following:
- Does the sender email address look legitimate? Are there weird characters being used to make it look like it is an official domain?
- Is the email body written with poor grammar and spelling? This can be an indication that it is not legitimate.
- Check any links the sender is directing you to access. In most email clients (especially Outlook) you can mouse over the link without clicking it. A popup should appear with the full link. Look at it carefully, often these links will lead to a weird domain if it is a phishing attack.
- No legitimate entity will ever ask for your password. So, any emails of the sort should be discarded or contact the entity using their publicly listed contact details to be sure. Never call any numbers on the email or respond to the email as you may just end up speaking to the person trying to gain access to your account.
Voice Phishing (Vishing)
Just about everyone has received a phone call from someone claiming to be from government or Microsoft or some other well-known entity asking for your personal details. This is very much the same as an email phishing attack but this time the person is trying to convince you over the phone to hand over your sensitive information. These sorts of attacks fall under what is known as “social engineering” which exploits human weakness rather than a form of security. Again, never hand your sensitive details to anyone who cold calls you.
Look out for the following:
- Long pauses or strange dial tones after answering the call and before the person speaks. This can often indicate the call has been redirected and the person has concealed their actual phone number.
- The person uses any sort of threats or manipulation to try to coerce you once you have stated you do not want to hand over that information. No legitimate caller will ever do this.
- Google the phone number, there are many scam watching websites out there that log these numbers.
- If the person requests remote access to your devices this is a strong indication that this may be a phishing attempt. Once the scammer has access, they can quickly take over your device and steal your information.