Most common and popular types of Password Attack
Different types of Password Attack: Most of us have heard the warnings about password security and various types of attacks in network security. Never Disclose your Password to anyone- Never ever share your password. Never use the vendor default password (like Admin@123). Never use an easy guessed password (like blacklisthackers or Aarav123). No matter what organisation you work in, chances are, you’re hearing more about these password “rules” at your job place. Recently high-profile security breach scandals, like the Target credit card information was extracted from users and the sensitive information stored on it, is safe and secure.
But while most people do their best to adhere to their employers password security guidelines, many are still unsure of why these password protocols are even effective. I am working as CEO of my company and helping Blacklisthackers members to speed on security protocols. One of the questions asked in our initial meeting helped to give me some perspective on which of the following is a common password attack vulnerability?
I dried of tear and explained that hackers are always trying to get their hands on sensitive financial information i.e your credit card information, it’s what they do always. Understanding how they do it is key to understanding why complicated passwords and more advanced security techniques like 2 factor authentication are so important in our daily life.
So the main question arises that how do hackers go about stealing account passwords in order to infiltrate a network and gain access to sensitive information like a client database, account details,credit card information, and much more? So Today I will be sharing out different types of password attacks used to break into a password-protected system.
Also Read: How hackers Hack ATM Machine
Most common types of Password Attack can be classified as follows:
#1 Passive Online Attack
Passive online attacks is a most common types of password attack where an attacker don’t contact with authorizing party for stealing password, in other words he attempts password hacking but without communicating with Victims account. Different types of Passive online Password Attack includes Reply attack, wire sniffing, Man in the middle attack- The three common types of Passive Online Password Attack as follows:
-Man In The Middle Attack: In Man in the middle attack or MITM in short an attacker intercepts the authentication server and then captures traffic and forwards it to server. Man in the middle attacks is sometimes known as fire brigade attack. To perform MITM attack a hacker inserts a sniffer between client and server, like this he is able to sniff from both sides and can also capture password.In MITM the attackers works between the Victims i.e when ever the information is passed from the Client it directly transferred to the ATTACKER first (MITM) then it goes to the server.
-Replay Attack: Replay attack is another type of password attack which occurs when the hacker intercepts the password and en routes to the authentication server and then it captures and is been resend the authentication packets for later authentication use. In this the hacker doesn’t have to break the password or learn the password technique through MITM but rather it captures the password and reuses the password-authentication packets later to authenticate as the client.
-Wire Sniffing: It is a type of attacks in computer security where it is considered as most common types of password attacks on wired or wireless networks. The password is captured during authentication phase and then compared to dictionary file or a complete word list. Sniffer tools are ideally suited to sniff data in hub environment such as LAN networks. These tools comes under passive sniffers as they passively wait for data to be sent before capturing the information.
#2 Active Online Attack
This is another different types of password attack in which attack is directly termed as password guessing. An attacker tries number of passwords one by one against victim to crack his/her password. This is most popular password attack because they can be performed by beginners also. Active Password Attack in network security is Password Guessing as given below:
-Password Guessing: Password guessing attack comes under most common types of password attack. It relies on human being factor involved in creating passwords and only works on weak passwords as discussed above. In Password Guessing Active Password Attack an attacker tries to build a dictionary of words and names to make all possible combination that can be used as password. The attacker performs this attack with help of program that generates over hundreds and thousands of words per second. A good and strong password is hard to guess and easy to remember, so you must have good password to protect yourself from this kind of attack. For generating strong password you can refer my last article-
Offline attack are the most common types of computer security attacks. Offline password attack are performed from a location other than the actual computer where the password reside or were used earlier. Offline attacks requires physical access to the computer which stores password file, the attacker copies the password file and then tries to break passwords in his own system. Offline attacks include, dictionary attacks, hybrid attacks, brute force attack, precomputed hash attacks, syllable attacks, rule based attacks and rainbow attacks.
The most time-consuming type of offline password attack is a brute-force attack, which tries every possible combination of uppercase as well as lowercase letters, numbers, and symbols. A brute-force attack is the slowest of the three types of password attacks because of the many possible combination of characters in the password. However, brute force is effective given enough time and processing power, all passwords can eventually be identified. Limitation of Bruteforce password attack is that it takes too much time to crack complex passwords.
A dictionary attack is the simplest ,quickest and most common types of password attack in Offline Attack. It’s used as identify of a password that is an actual word, which can be found in a dictionary (refer as common dictionary).This attack uses a dictionary file of limited possible words, which is hashed using the same algorithm used by the authentication process. Then, the hashed dictionary words are compared with hashed passwords as the user logs on, or with passwords stored in a file on the server. The dictionary attack works only if the password is present as actual dictionary word, therefore this type of attack has some limitations. It can’t be used against strong passwords which contains numbers or other symbols.
Syllable attack is combination of both bruteforce and dictionary attack. This password cracking methods is used when the password is not an existing word. Attackers use the dictionary and other methods to crack it. It also uses the possible combination of every word present in the dictionary.
This comes to the next level of password attack. The hybrid attack starts with dictionary file and it substitutes various numbers and symbols for characters in the password. For example, many users add the number 1 to the end of their password to meet strong password requirements. A hybrid attack is designed to find those types of complex passwords.
Encrypted password that are stored can prove useless against dictionary attacks. If the file contains the encrypted password in readable format, the attacker can easily detect the hash function. He/she can then decrypt each and every word in the dictionary using hash function an then compare with the encrypted password. Storage of hashes requires large memory space and hence time-space trade-off is used to reduce memory space required to store hashes.
Rule Based Attack:
This type of attack is used when attacker gets some information about the password. This is the most powerful attack because the cracker knows about the type of password. This technique involves use of brute force, dictionary and syllable attacks.
Rainbow attack is nothing but a little advancement from of pre computed hash. It uses already calculated information stored in memory to crack the cryptography. In rainbow attack the same technique is used, the password hash table is created in advance and stored into the memory. Such a plain table is known as rainbow table.
This type of password cracking methods does not require any technical knowledge hence termed as non-technical attacks. Non technical attacks may include, social engineering, shoulder surfing, keyboard sniffing and dumpster diving.
Social engineering is the most common types of password attack- It is the art of interacting with people either face to face or over the telephone and getting them to give out valuable information such as account passwords, credit card details etc. Social engineering relies on people’s good nature and desire to help others. Many times, a help desk is the target of a social-engineering attack because their job is to help people—and recovering or resetting passwords is a common function of the help desk. The best defense against social engineering attacks is security awareness training for all employees and security procedures for resetting passwords. In my opinion Social Enginerring is best suited to hack whatsapp and facebook account easily.
Shoulder surfing is password guessing attacks which involves looking over someone’s shoulder as they type a password. This can be effective when the hacker is in close proximity to the user and the system-they might capture your password with the help of a camera. Special screens that make it difficult to see the computer screen from an angle can cut down on shoulder surfing.
In this type of password attack a hacker looks through the trash for information such as passwords, which may be written down on a piece of paper.