Information Assurance Assignment 01

 Password Attacks

 What is Password Attack 

        -In password attacks, an automated password attack tool is used to guess and crack passwords more quickly, together with a system vulnerability related to failed permission.-

        

         Using a variety of strategies, the attacker assumes the identity and privileges of a valid user in order to get access to and reveal their credentials. Since the username-password combo is one of the earliest ways of account authentication that is known to exist, adversaries have had time to develop a number of strategies for getting easily guessed passwords. Furthermore, because password assaults are well-known, apps that rely solely on passwords for authentication are susceptible.

           Since malevolent users only need to gain unauthorized access to a single privileged account or a small number of user accounts to compromise the online application, password attacks have far-reaching effects.

Types of Password Attacks

phishing

        -Phishing attacks, by far the most prevalent type of password attack, use social engineering to trick the victim into thinking they are a reliable website by providing a malicious link. The victim clicks on this link and gives the attacker their account credentials after assuming they are authenticating to a genuine web server. In addition to facilitating identity theft, phishing assaults also facilitate the growth of Advanced Persistent Threats by giving the threat actor access to internal user credentials. This permits the attacker to infiltrate deeper system components without being discovered.-

                In phishing assaults, adversaries frequently employ a variety of techniques to deceive the victim into clicking the malicious link, including as

        1. Clone Phishing

                    The attacker sends a replica of a valid email with links to malicious websites added in lieu of the original email's links in this attack.

        2.Tabnabbing

                    Unattended browser tabs are rewritten by the attacker with malicious websites that mimic authentic websites.

        3.DNS Cache Poisoning

                    Attackers reroute user queries to a malicious website with a similar-looking domain name by taking advantage of flaws in the application's DNS server.

Brute - Force Password Attacks

    -This kind of password attack uses trial-and-error techniques to determine the authentication details of a user. In order to accurately guess the user's password, the malicious actor employs automated programs to go through as many variants as feasible. Brute force attacks are still common in account breach attempts despite being an outdated technique that takes a lot of time and patience to complete since they are automated and simple.-

        1.Simple Brute - force Attacking

                A hacker guesses the most likely password using facts about the person and logic. This method works well for short passwords, such those that include your pet's name with your birthdate
and year.

        2.Credential Stuffing 

                This entails leveraging previously disclosed login credentials that were taken maliciously from several websites that are susceptible. Hackers usually exploit the fact that entities frequently reuse their username-password combinations across several services in these kinds of assaults.

        3. Hybrid Brute force Attacks 

                To find complex passwords, an attacker uses automated software that does credential stuffing in conjunction with basic weak password guessing. The majority of production systems have slightly different passwords for several websites. To increase the accuracy of credential stuffing tools, attackers often take advantage of user data patterns across services.

        4.Reverse Brute Force Attacks 

                            Using a known password as a starting point, the hacker looks for usernames that match it. Given that malicious actors frequently possess numerous databases containing compromised login credentials, it is simple to pinpoint frequently used passwords among a specific user population.

 

Dictionary Password Attacks

        This attack technique makes use of a pre-compiled list of phrases that a certain target network is most likely to use as passwords. Passwords recovered from prior data breaches and the online user's behavioral patterns are used to create the predetermined list. The lists are made by employing frequent phrases, adding numeric suffixes and prefixes, and modifying common word combinations according to case. An automated tool receives these lists and tries to authenticate against a list of known usernames.

            

                    Dictionary assaults are effective because a lot of companies and computer users demand that passwords be made out of common terms. These attacks typically fail when trying to access systems that require multi-word passwords. They also frequently fail when trying to access passwords that contain arbitrary combinations of uppercase, lowercase, and numeric characters.

                    Robust, randomly generated passwords are very unlikely to be found in the preset password library and are not readily predicted. It is practically hard to crack nonpredictable passwords using dictionary attacks since their guess efforts are restricted to a preselected list.

Examples of Dictionary Attacks

        1. A website neglects to make sure that the minimum standards for password complexity and length are sufficiently safe. Because of this, some users choose passwords that are incredibly simple to guess, such as "abc123" or "987654," which are frequently the first passwords attempted in a dictionary attack. These accounts will be the first to be compromised in any attack. 

        2. When a hacker tries too many different usernames and passwords, they manage to disable lockouts. After gaining access, the hacker can spend their time attempting to guess additional login and password combinations on the website by employing a random password generator.

How to protect against a Dictionary Attacks

        1.Eliminate Passwords

                Eliminating passwords is the ONLY way to guarantee that password-based attacks won't occur.

       2. Use random password generator

                Passwords can be generated for you automatically by browsers like Chrome or Safari. These generate very difficult-to-crack passwords using a combination of selected special characters, random letters, and digits.

       3.If at all possible, use biometric identification.

                It's simple to increase the security of your accounts with biometric identification. Although it's not very prevalent on websites, a lot of mobile applications let you log in with your thumb, fingerprint, or face utilizing the biometric security features of your smartphone.

       4. Often change your passwords

                If at all possible, the majority of security experts advise you to make it a practice to change your passwords every three to six months. You may also be required by certain websites and programs to update your passwords on a regular basis after a predetermined period of time—typically once a year.

                

Password Spraying Attacks

    Before switching to a new password in this technique, the hacker tries to authenticate using the same password on many accounts. Since most website visitors create short passwords, password spraying works best and doesn't break lockout regulations because it makes use of several accounts. Password spraying is primarily carried out by attackers on websites where the administrator has established the default password for unregistered accounts and new users.

 

Keylogging

    A hacker installs monitoring software on the user's computer to secretly record the keys they hit during a Keylogging attack. All data entered by users into input forms is captured by a keylogger, which subsequently forwards it to a malevolent third party. While keyloggers frequently have important use in business settings (tracking employees, improving user experience, etc.), attackers frequently use them to fraudulently obtain information for illegal access, such as login passwords.

Examples of Keylogging

        1. A phishing email is used by an attacker to trick employees into downloading a crucial update that will allow them to continue using the company's online services. Several workers are tricked into downloading and installing the virus, which gives the attacker access to company data by keeping track of usernames and passwords.

        2.Law enforcement is authorized by the court to physically place keyboard logging gear on a suspect's computer as part of a criminal investigation. Here, the suspect's damning information is attempted to be obtained through the use of the keystroke logging attack.

How to prevent Password Attacks 

1. Make your password complicated. A mixed case, mixed character, ten-digit password differs greatly from an all-lowercase, all-alphabetic, six-digit one. A successful brute force attack becomes less likely as the complexity of your password grows.
   
   
2. Make sure each account has a different password. Reusing passwords has grown commonplace, and all it takes is one compromised password to put a whole system or set of credentials at risk of hacking.
   
   
3. Hackers can use credentials they have obtained from one website to gain access to other websites by using a technique known as credential stuffing.
   
   
4. Turn on and set up two-factor authentication (MFA). When logging into an account, multi-factor authentication (MFA) asks you to present multiple pieces of evidence to confirm your identity. For instance, you could have to use a biometric factor like your fingerprint or face, or input a code that was provided to your phone or email. By giving your accounts an additional layer of safety, MFA helps stop password attacks.
   
   
5. Steer clear of social engineering and phishing scams. Phishing is the practice of hackers sending you phony emails or messages that appear to be from reliable sources, including your bank, place of employment, or friends. They attempt to deceive you into disclosing your password or opening nefarious attachments or links that could infect your device with malware. Always verify the sender's address, the message's content, and the URL of any links before replying or clicking to prevent falling victim to phishing. If you're unsure, get in touch with your IT department or the message's original source to confirm its legitimacy.
   
   
6. Make use of a password organizer. A password manager is a piece of software that organizes and safely keeps track of your passwords for many services and accounts. It can assist you in making secure and one-of-a-kind passwords that sync with all of your devices and automatically fill in when you log in. In the event that a data breach exposes your passwords, a password manager can notify you as well. Password management can be safer and easier if you use a password manager.
   
   

References

https://www.keepersecurity.com/blog/2022/12/19/how-to-prevent-password-attacks/

https://www.onelogin.com/learn/6-types-password-attacks

https://assets-global.website-files.com/5ff66329429d880392f6cba2/64366ec0b18c496b2ef31b98_Examples%20of%20Password%20Spray%20Attack.jpg

https://images.spiceworks.com/wp-content/uploads/2022/05/10131245/Critical-Steps-of-a-Brute-Force-Attack.png

https://www.simplilearn.com/ice9/free_resources_article_thumb/phishing_working_2-What_Is_Phishing.PNG