7 Types of Password Attacks and How to Prevent Them
Passwords are the first - and perhaps most important - layer of protection for online accounts. But what happens when a cyber attacker employs a password cracking attack? How can you defend your information? In this article, learn about seven of the most common types of password attacks - including brute force attacks, password spraying attacks, and both throttled and unthrottled online attacks - and how to prevent them from affecting your personal accounts.
Online password attacks
Online attacks are a common type of password attack. They typically happen on a website or at the login interface for a site. Attackers use programs to mass-enter passwords into a system, attempting to guess the user's password and username systemically.
These attacks are not quick, since they must be done through the front end of a site. Additionally, they are restricted by the amount of times that the attacker can guess the password in a single session. This divides online attacks into two different groups: unthrottled attacks and throttled attacks.
Unthrottled online attack
In an unthrottled online attack, the website has no limitations in place for password attempts. This means that the attacker can attempt passwords over and over again until they find the correct one. The number of times someone can enter a password in a single attempt isn't set by the user.
Instead, the server or site storing the passwords or running the website establishes it beforehand. Unthrottled password portals allow password crackers to guess the login information much quicker, as they're uninhibited by entry limits.
Throttled online attack
In a throttled online attack, the hacker is limited in their attempts by the preset amount of times that a user can enter their password in a single session. They can only try to enter the server a certain amount of times.
This means that, even with an excellent cracking system, the hacker can't continue to push passwords into the account until they get the right one. As a result, throttled online attacks take longer to complete, allowing the user to change their password and security settings if they notice peculiar activity on their account.
Offline password attacks
Offline attacks have a more harmful impact on users than online attacks, largely due to the fact that they occur much faster. In offline attacks, the cyber attacker accesses the password storage database directly and attempts to crack the vault. Because they aren't trying to crack a password on an individual level, it produces widespread results; once the attacker gains access to the database, they can view all of the information for all of the accounts within that server.
However, there are two kinds of offline attacks: attacks with fast hashing and attacks with slow hashing. Hashing essentially serves as a defendant against online attacks, as it turns all the plaintext passwords into cryptographically hashed passwords.
Fast hashing offline attacks
Fast hash or fast hashing is a simple and efficient hash function. It takes minimal time to convert plaintext passwords or data into cryptographic code. However, its speed comes at a cost, as fast hashing results in a code that's easier to crack.
Cyber attackers still need to decode the fast hash script, but it will take them less time than in a slow hash script. Therefore, these attacks pose a threat to anyone who has their information in a web server or organization's database.
Slow hashing offline attacks
Slow hash or slow hashing is a much more involved hash process. The resulting script is more complicated and requires more computing power to create. This, subsequently, means that the slow hashing process is slower.
However, it's also significantly more secure than fast hashes. Slow hashing offline attacks, then, still pose a threat to users, but they are less of a threat than fast hashing offline attacks.
Brute force attacks
Brute force attacks, as the name implies, are straightforward attempts to guess a user's password. A password cracker will try different combinations of letters, numbers, symbols, and words in an attempt to find the correct passcode. These attacks work best on individuals who use familiar or simple passwords. If you include easily accessible information in your password, like the name of your pet or your hometown, then it makes you more vulnerable to brute force password cracking attacks.
Credential stuffing password attacks
Credential stuffing attacks stem from a single security breach in which an attacker uses one of your passwords to try and expose other passwords. This method is sometimes also referred to as password spraying. If, for example, a data breach reveals your login credentials for a social media account, attackers will try that password on your other accounts and see what works. If you have the same password for multiple accounts, it makes you vulnerable to credential stuffing attacks.
Keystroke logging password attacks
This attack method uses a keylogger, which, once installed, monitors someone's individual keystrokes. If someone has installed this type of malware on your phone or computer, they can then log what you type and decipher your passwords - not just for a single account, but for every account you log into on the infected device.
How to prevent password attacks
When it comes to preventing password attacks, password security is crucial. The best way to prevent against password attacks is to create strong, unique passwords for each of your accounts. Weak passwords, which often include basic words or simple phrases, have no chance at defending user accounts from attacks.
Create strong passwords
Again, creating strong passwords is the most important part of password security. Each password you use should include the following:
- Uppercase letters
- Lowercase letters
- Numbers
- Special characters
Refrain from using personal information in your password, like your name or your pet's name. You don't want your passcodes to include any information that could be guessed or linked back to you.
Each account should also have a completely unique password. Don't reuse your passwords, even if you think the accounts are secure; if someone is able to crack one of your passcodes, they can then access the others as well.
Use a password manager
If you struggle to create and remember different passwords, then consider using a password manager.
A password manager stores all of your passwords in a vault, leaving you with only a master password to remember and keep track of. Most password managers auto-fill your information on websites you visit, and they often have password generator features as well.
If you need a password generator, use the WhatIsMyIP password generator tool to create strong, secure passwords for all of your accounts.
Use two-factor authentication
Two-factor authentication is another good way to protect your accounts. 2FA requires that you enter a one-time-use code along with your password each time you log in to your accounts. This helps limit unauthorized access to your accounts, as nobody can log in without the generated code that goes right to your email address or phone number. Using multi-factor authentication, which is similar but requires at least two forms of authentication, is another good method.
Additionally, using a one-time password or single sign-on (SSO) on accounts that allow it. These methods generate individual passwords each time you log in, which makes it so that your password can't be hacked or used to access other accounts.
Install antivirus software
Additionally, to defend against cyberattacks that depend on malware, installing a strong antivirus program is crucial. Choose a program that detects all types of malware - from spyware to ransomware to keyloggers - to ensure that you aren't blindsided by a malware-based attack down the line.