aniediogo's blog

Password attacks and how to maintain healthy password hygiene

Angela Chidiogo's photo
Angela Chidiogo
·

5 min read

A password is a security functionality that contains secret phrases, words, or characters that a user generates to match an established identity in other to get authorization into an account or system as the real user. It is a tier-one layer or basic security feature for account protection against unauthorized third parties.

Password is a secret word which could be in just alphabets, a mixture of alphabet and numbers and special character that is used for an account, computer, data, or user protection, to distinguish between a user and other users, for communication and authentication purposes.

Default password

A default password is a preconfigured password that comes with a device in order to allow the user to gain initial access to a device. The default password in regular cases makes use of plain and easy numbers like 0000, 1111, etc but it is not particularly unique to any particular user’s identity. Hence, a default password is a vulnerability that poses a great security risk to users.

Password vulnerabilities

Password vulnerabilities are weaknesses that create an easy way for Threat Actors to access a user's account to gain information, steal data, and carry out other nefarious activities. These password vulnerabilities often arise as a result of poor password awareness and guidance on the part of users. Weak passwords such as birthdays, dictionary words, short passwords, reuse of passwords across several accounts, and poor protection of password secrecy, default password, etc. lead to password exploitation.

Password Exploitation

Password exploitation is the use of various codes and techniques to leverage known password vulnerabilities in other to launch an attack and gain access to a device or an account.

                                  **Techniques used for password exploitation**

Social Engineering - social engineering is an emotionally stirring attack that Attackers use to malign users to give them some information about themselves or their password or get them to carry out an activity which could be clicking on a link or opening an attachment that could infect their system with malware so that the attacker can monitor and get their password themselves. Users could receive a call, SMS, email, or update from a “supposed” trusted source asking for their details including passwords and use it to access user's account.

Dictionary attack - this is a technique where an Adversary uses regular words from the dictionary to figure out what a user's password could be. It is more of a trial and error system when an attacker manually inputs or uses programmed software to test several dictionary words in order to gain unauthorized access to an account.

Password Spraying - using a password spraying technique, an attacker tries a particular and often-used password across several targeted accounts in an attempt to gain access to any of the targeted accounts whose password coincidentally matches with the one being tried. Let’s say an attacker wants 40 targeted accounts, he/she could use a regular password like 123456, spraying across the targeted account. If 123456 does not work, the attacker can start a fresh trial with abcdef. Password spraying is manually done. Hence it could prevent the server from detecting any fraudulent attempt to gain access thereby giving the attacker more time to try.

Bruteforcing - Bruteforcing, just like the dictionary technique involves password guessing and trying a lot and combinations of passwords to break into a user’s account. In recent times, attackers employ tools like applications and scripts to aid the attack. Bruteforcing takes a lot of time but it is the most prominent and high-success-rated password hashing technique.

Rainbow techniques - this technique is used to compare hashed password values with the ones on a rainbow table(a listing of plaintext passwords or encrypted or hashed password which is specific to a particular hashed algorithm). The threat actor tries to find the plaintext that matches with a hashed value in order to find the password of the users.

Shoulder surfing - Just as the name sounds, this is a technique where adversaries get your password by observing or peeping at your commands when you are typing your password.

                          **How to build healthy password hygiene**
  • Use a long password of at least eight characters with a combination of letters (capital & small), numbers, and special characters. Eg,!Ne1L03@g5. This combination makes it more difficult for anyone to guess.
  • Use different passwords across different accounts. Should any account be tampered with, other accounts will not be affected because they do not have the same password. In any case, where an account has been tampered with, other accounts that are sharing the same password are at risk.
  • Avoid using dictionary words, birthdays, pet names, names, or regular words as passwords. Even if you must, ensure they have characters and numerical combinations.
  • Change passwords often. Within a period of 4-6 months, ensure you review all account passwords and change them especially when you must have shared it with someone or logged into your account on other devices.
  • Avoiding using default passwords on devices. These default passwords are prominent among similar products of companies and hackers know this. Using default password is as bad as not using passwords at all. When you buy new devices, configure it by changing the default password to your own unique and strong password and enable additional layers of security like two-factor authentications.
  • It can be overwhelming to remember all these nonsensical passwords spread across different accounts. Making use of password managers like a google password manager, LastPass, etc. helps you save and protect your password in their own security while you retain only one password. Which is your password to the password management platform.
                **    Guide towards creating a healthy and uncrackable password**

  • Combination of alpha+numeric+special character - eg: My1@lo7&8

  • Usage of long password with the combination above - eg: Chinecherem126@maiLove&life

  • Story telling - eg: MynameisChidiogo&Iam25yearsold

  • Word combination -eg: My name is Chidiogo Eloka, I am 25years old. I am a University student at X & I have 60% knowledge of Cybersecurity. password= MniCE,Ia25o.IaaUsaX&Ih60%koC