Password Attacks

What are password attacks, who does them, and why

Password attacks are attempts to discover the password associated with an online account, also known as password cracking. The attacker’s goal is to gain unauthorized access to a system. Once inside, an attacker can act maliciously and mischievously. Targeted systems can include an email account, a login account, or a website admin account.

Attackers can be password recovery companies, bored individuals, criminal gangs, or governments.

The aim of an attacker might be,

1. Intelligence gathering or to gather critical information.
2. Hurting the reputation of someone or a business by acting as them publicly.
3. Financial gain or extorsion.
4. Compromise an adversary or to gain a competitive advantage.

What types of password attacks are there

Attackers can gain value from access to systems, so they apply significant creativity, resources, and sophistication to password cracking.

Types of password attacks are,

1. Phishing: A hacker creates an email or website posing as a trustworthy party, hoping you will provide personal information.
2. Man-in-the-Middle: A hacker uses various techniques to intercept communication between you and a legitimate provider, e.g. spoofing, hijacking or eavesdropping.
3. Dictionary Attacks: Priming a password-guessing algorithm with words or commonly used passwords.
4. Credential Stuffing: Using login and password details disclosed during a previous data breach to attempt to log in to other places.
5. Rainbow Table Attack: Passwords are typically stored as hash values (encrypted) rather than plain text. If a database of hashed passwords is made public, an attacker can use a precomputed rainbow table to recover the plain text passwords.
6. Password Spraying: Attempting to log in to many accounts with a known, commonly chosen password, e.g. 12345678 or a default password.
7. Password sniffing: An attacker searches network traffic for data packets containing usernames and passwords.
8. Keylogging: Malicious software called a keylogger records each keystroke and sends the information to an attacker. The software can be part of software downloaded and installed on your computer. A virus check should find the most common malware keyloggers.

What can I do to defend my website?

A few good practices can make your website more difficult to attack,

1. Check your website uses HTTPS and not HTTP, which ensures connections to your website are encrypted.
2. Use a strong password for your website login credentials, and don’t reuse it.
3. Enable multi-factor authentication for your login.
4. Use a VPN when connected to public networks like the WiFi in a cafe or airport.

See our article “Passwords – Good Practices for WordPress Site Owners” for more details on securing your website.

See our article “Malware – Good Practices for WordPress Site Owners” for more details on reducing the risk of attacks on your website.

Conclusion

This article explained password attacks, who does them, and why. By following the guidance on defending your website from password attacks, we can work towards a more secure internet.

References

1. https://developer.wordpress.org/advanced-administration/security/
2. https://en.wikipedia.org/wiki/Password_cracking