Learn How to Avoid Attacks and Make Passwords Safe
Every year, the first Thursday of May is World Password Day. This year, we again want to remind you of the importance of protecting the organization’s information. We will help you in this task by teaching you to identify the primary attacks to steal passwords and how to avoid them.
Brute Force Attack
A brute force password attack is essentially a method in which the cybercriminal tries to break into a system many times with different combinations of characters (alphabetic, numeric, and special) using specific software, hoping that some match will occur with our password. Password. Cybercriminals use the common lousy practice of using the same password for different services. In addition, sometimes these “reused” passwords may already be compromised, be very common or come by default in systems or applications, for example, those of the type “12345” or “admin.”
Within brute force attacks, we can distinguish the following variants:
These cyberattacks take advantage of the destructive practice of using a single word as a password. Usually, the cybercriminal uses software that allows him to enter passwords automatically and thus can try all the words in a dictionary as possible passwords. It would have already gained access to the account in question if there was any coincidence.
In a more advanced variant, the cyber attacker collects information about the user, such as dates of birth, names of family members, pets, or places where they have lived, and tries these words as passwords, as this is also a widespread lousy practice, the use of this type of keys that are easy for us to remember.
Avoid the dictionary attack by creating strong passwords that adhere to the following guidelines:
- They must contain at least eight characters and combine them of different types (uppercase, lowercase, numbers, and symbols);
- Must not include the following types of words:
- Simple words in any language (words from dictionaries);
- proper names, dates, places, or personal data;
- Comments that are made up of close characters on the keyboard;
- Concise words nor will we use keys formed solely by elements or terms that may be public or easily guessable (e.g., name + date of birth);
- Stronger passwords will be established for access to the most critical services or applications;
- What is stated in the previous points will also be taken into account when using passphrase-type passwords (long passwords formed by a sequence of words).
Credential stuffing ( credential stuffing/credential reuse )
Credential stuffing is a brute-force attack that uses stolen credentials in security breaches. Username and password pairs are automatically tested for online accounts and profile access. They also take advantage of the reuse of credentials from personal applications (for example, social networks and online services) in applications in the corporate environment, such as mail.
Prevent credential stuffing attack:
- Enabling two-factor authentication on your online accounts when possible. In addition to the use of the password, consider other factors such as:
- fingerprint ;
- hardware crypto tokens ;
- OTP (One Time Password) systems ;
- Coordinate cards.
- Using unique passwords, that is, that you only use in that specific service.
- Using the company account only to sign up for corporate services.
- Password spraying attack
It occurs when a cybercriminal uses many stolen passwords (from some security breach) on a group of accounts (for example, webmail accounts of company employees) to see if they can gain access. In addition, it uses programs that limit the number of attempts to access a charge to not trigger alerts and thus not be detected.
Prevent Password Spray Attack:
Use tools that guarantee the security of your passwords, such as those of the LDAP protocols, Active Directory, or external services that require compliance with specific requirements:
- Validity periods for passwords;
- Possibility of reuse of already used passwords;
- Password format:
- Minimum length;
- Types of characters to include;
- Compliance with semantic rules.
- Option of choosing and modifying the password by the user;
- Key storage:
- Size of the history of keys to be stored for each user;
- key encryption method.
- Several authentication attempts were allowed.
Social engineering is a manipulation to obtain confidential information that is complementary to the use of technology to obtain access credentials. There are several techniques.
Phishing, smishing, vishing, and worshipping
These cyber-attacks use human misinformation and ingenuity to get us to hand over our credentials. They are initiated by email, SMS, phone calls, or devices.
- An email draws your attention to an urgent matter from an entity you trust, such as a bank, a ministry, or an ICT service provider. These messages usually contain a link to a website designed in a way that supplants, sometimes with a remarkable resemblance, the legitimate website of that entity and in which they will ask you for the credentials to log in ( phishing ). These fake websites will record the entered credentials, thus passing them into the hands of attackers.
- An SMS ( smishing ) is a technique of sending an SMS by a cybercriminal to a user pretending to be a legitimate entity -a social network, bank, public institution, etc. with the same purpose as above.
- A call ( vishing ), using techniques similar to the previous ones.
- An infected technological gift ( worshipping ) that will connect to our network and steal our credentials and other data.
Look over the shoulder ( shoulder surfing )
Awareness of your environment is just as important as keeping an eye out for any suspicious activity online. Shoulder surfing is a social engineering technique in which cybercriminals obtain passwords by spying on people using their devices in public as they type. These take advantage of the fact that, as a general rule, we are not suspicious and do not worry if someone may be watching while we enter the passwords on our devices.
Avoid social engineering attacks:
- With training and awareness. The first line of defense is the end user. Therefore, they are the best weapons to combat this technique.
- Checking if the website is legitimate before entering your data.
- Enabling biometric features like facial recognition to log into accounts on mobile devices.
A keylogger is spyware that tracks and records what is typed on the keyboard. Cybercriminals take advantage of this software by intentionally infecting vulnerable devices and recording private information without the user’s knowledge, thus stealing passwords, among other details. It can also come on removable devices, like pen drives.
Avoid keylogger attacks:
- Checking the legitimacy of attachments and downloadable files before opening or executing them.
- Installing antimalware software on your devices.
- Checking that you have not connected any strange device to your computer.
In the Man in the middle attack, the cybercriminal intercepts the communication between 2 or more interlocutors, impersonating the identity of one or the other according to his interest, to view the information and modify it at will.
Once the communications are intercepted, the responses received at one end may have been manipulated by the cybercriminal or may not have come from the legitimate interlocutor.
Therefore, it could use various social engineering techniques in these messages, send malicious attachments to install software, or use spoofing techniques to impersonate the sender to get hold of the victim’s passwords.
Traffic interception is a type of Man-in-the-middle attack. In this case, the cybercriminal spies on network activity to capture passwords and other sensitive information.
They have various ways of carrying out this attack, for example, by intercepting unsecured Wi-Fi connections or by using a tactic called session hijacking, which consists of blocking a relationship between a target (an employee, for example), the site they are connecting to (a cloud service or an intranet application) and record any information shared between the two.
Avoid Man-in-the-middle attacks:
- Learning to identify the legitimacy of emails.
- Avoiding risk connections such as public Wi-Fi.
- Applying safe navigation tips I and II.
Now that you know more about how cybercriminals can steal your credentials, review your password policy and protect your business.