How Cyber Attackers Steal Passwords – Learn To Avoid Attacks

When it comes to protecting the organization’s information and help you in this task by teaching you to identify the primary attacks that exist to steal passwords and how you can avoid them.

Brute Force Attack

A password brute force attack is a method in which the cybercriminal tries to break into a system many times with different combinations of characters (alphabetic, numeric and special) using specific software, hoping that some match will occur with our password. Password.

Cybercriminals use the common lousy practice of using the same password across different services. In addition, sometimes these “reused” passwords may already be compromised, be very common or come by default in systems or applications, for example, those of the “12345” or “admin” type.

Within brute force attacks, we can distinguish the following variants:

Dictionary Attack

These cyber-attacks take advantage of the harmful practice of using a single word as a password. Typically, cybercriminals use software that allows them to enter passwords automatically, so they can try all the words in a dictionary as possible passwords. If there was a match, you would already have access to the account.

In a more advanced variant, the cyber attacker collects information about the user, such as dates of birth, names of family members, pets or places they have lived and tries these words as passwords, as this is also a widespread lousy practice, the use of this type of keys that are easy for us to remember.

Avoid the dictionary attack by creating strong passwords that meet the following guidelines:

They must contain at least eight characters and mix them of different types (uppercase, lowercase, numbers and symbols):

Must not include the following types of words:

Simple words in any language (dictionary words);
Proper names, dates, places or personal data;
Comments that are made up of characters next to each other on The keyboard;
Concise words

Nor will we use keys made up solely of elements or phrases that can be public or easily guessed (e.g. name + date of birth);

stronger passwords will be established to access the most critical services or applications.

What is stated in the previous points will also be taken into account when using passwords of the passphrase type (long passwords formed by a sequence of words).
Credential stuffing ( credential stuffing/credential reuse ):
Credential stuffing is a brute-force attack that uses stolen credentials in security breaches. Username and password pairs are automatically tested to log into online accounts and profiles. They also use personal application credentials (for example, social networks and online services) in corporate environment applications such as email.

Avoid Credential Stuffing Attacks:

Enabling two-factor authentication on your online accounts where possible. In addition to the use of the password, consider other factors such as:
fingerprint ;
hardware cryptographic tokens ;
OTP (One Time Password) systems ;
Coordinate cards.
Using unique passwords, that is, that you only use in that specific service.
Using the company account only to sign up for corporate services.

Password spraying attack

It occurs when a cybercriminal uses many stolen passwords (from some security breach) in a group of accounts (for example, the webmail of company employees) to see if they can gain access. In addition, it uses programs that can limit the number of attempts to access an account so as not to trigger alerts and thus not be detected.

Avoid password spray attacks:

Use tools that guarantee the security of your passwords, such as those of the LDAP protocols, Active Directory or external services that require compliance with specific requirements:

Validity periods for passwords;
Possibility of reusing already used passwords;
Password format:
Minimum length;
Character types to include;
Compliance with semantic rules.
Option of choosing and modifying the password by the user;
Key Storage:
Size of the critical history to store for each user;
Key encryption method.
Several authentication attempts are allowed.

Social engineering

Social engineering is a manipulation to obtain confidential information that is complementary to the use of technology to obtain access credentials. There are several techniques.

Phishing, smishing, vishing and worshipping

These cyber-attacks take advantage of the lack of information and human ingenuity to get us to hand over our credentials. They are initiated by an email or SMS, a call or through devices.

An email that draws your attention to some urgent matter from an entity you trust, such as a bank, a ministry or an ICT service provider. These messages usually contain a link to a website designed to impersonate, sometimes with a remarkable resemblance, the legitimate website of that entity and in which they will ask you for login credentials ( phishing ). These fake websites will record the credentials entered, thus passing them into the hands of the attackers.

An SMS ( smishing ) is a technique of sending an SMS by a cybercriminal to a user pretending to be a legitimate entity -social network, bank, public institution, etc. with the same purpose as above.
A call (fishing), using similar techniques to the previous ones.
An infected technological gift (worshipping) that will connect to our network and steal our credentials and other data.
Look over the shoulder ( shoulder surfing )
Being aware of the environment around you is just as important as being aware of any suspicious activity online. Shoulder surfing is a social engineering technique in which cybercriminals get passwords by spying on people using their devices in public while typing. These take advantage of the fact that, as a general rule, we are not suspicious and do not worry if someone may be watching while we enter passwords on our devices.

Avoid social engineering attacks:

With training and awareness. The first line of defence is with the end user. Therefore, they are the best weapons to combat this technique.
Checking if the web is legitimate before entering your data.
Enabling biometric features like facial recognition to log into accounts on mobile devices.
keylogger attack
A keylogger is a spyware that tracks and records what is typed on the keyboard. Cybercriminals take advantage of this software by intentionally infecting vulnerable devices and recording private information without the user’s knowledge, thus stealing passwords and other information. It can also come on removable devices, such as flash drives.

Avoid keylogger attacks:

Checking the legitimacy of attachments and downloadable files before opening or executing them.

Installing anti-malware software on your devices.

Checking that you have not connected any foreign device to your computer.

Man-in-the-middle attack

In the Man in the middle attack, the cybercriminal intercepts the communication between 2 or more interlocutors, being able to impersonate the identity of one or the other as he wishes, to see the information and modify it at will. Once the communications are intercepted, the responses received at one end or the other may have been manipulated by the cybercriminal or may not have come from the legitimate interlocutor.

Therefore, it could use various social engineering techniques in these messages, send malicious attachments to install software or use impersonation of the sender with spoofing techniques to get hold of the victim’s passwords.

Traffic interception

Traffic interception is a type of Man-in-the-middle attack. In this case, the cybercriminal spies on network activity to capture passwords and other sensitive information. They have various ways of carrying out this attack, for example, intercepting unsecured Wi-Fi connections or using a tactic called session hijacking, which consists of blocking a relationship between a target (an employee, for example), the site to which they connect (a cloud service or an intranet application) and record any information shared between the two.