With the increase in Internet users all around the world, the number of cybercrimes is also increasing at a very rapid rate. The first thing that comes to mind when we hear security is “password”. Nowadays everything that is available on the Internet requires you to create an account that definitely consists of a password. In present times, most people don’t pay much attention to their security and passwords that result in a large number of cybercrimes and the rise of password cracking tools like a dictionary attack, brute force attack, mask attack, password guessing attack and more.
Having knowledge about the various password cracking techniques is essential not only as an ethical hacker but also as a common person because it can help you prevent such an attack. Given below are some of the most commonly used password cracking attacks performed by a hacker–
A dictionary attack is slightly more sophisticated than a brute force attack. In this type of attack, the attacker loads a dictionary file into the target system that runs against user accounts. This attack gets its name from the same fact that the attacker methodically tries to enter every word in the dictionary in order to crack the password. This also removes the randomness of a brute-force attack to some extent thereby reducing the amount of time needed to find the password—provided that the password is present in the dictionary. The reason for the success of this attack is user negligence towards creating a strong password which benefits the hacker by making it easier to crack the password using lesser combinations. In order to prevent ourselves from a dictionary attack, all we can do is make our passwords complex by using a combination of different and random dictionary words as well as numbers and characters for higher complexity and better security of the password.
Rainbow Table attack:
A rainbow table attack is a special type of dictionary attack since it uses specially optimized dictionaries for cracking purposes that contain common hash values as well as passwords.
All the passwords stored on the server are stored as a hash string so as to prevent any kind of password misuse. The hackers try to get into these hashes by using a rainbow table which is nothing but a list of pre-evaluated hashes of all the possible password combinations because if a hash code has been cracked, the password can be easily retrieved from it. To prevent this attack a technique called as Salt Technique is used which includes adding some random data to the password before hashing it.
A brute-force attack is an attack based on password combinations. In this attack, the attacker aims at cracking the password by submitting different combinations until the correct one is found. However, most attackers automate the process by using a software that runs exhaustive password combinations in a significantly lesser time span. It is a really powerful attack for cracking smaller passwords but when it comes to longer passwords, it seems to be relatively inefficient than other attacks since a lot of time is wasted in making unlikely guesses. This is the reason that most types of encryption techniques can effectively prevent a brute-force attack by using hashing algorithms to slow down password entry.
A Hybrid attack is used when the attackers have an idea of the password format i.e. the password has some sequence that can be easily recognized, for example, a software password might have the word “software” appended with a number of other characters. This type of attack is considered very dangerous and effective because it consists of a combination of dictionary and brute-force attack due to which it incorporates the abilities of both these attacks. In a hybrid attack, the dictionary attack part is made stronger with the help of a string of brute-force characters being placed at the beginning or end of the dictionary entries.
Mask attack (s) is used when the attacker has already gained some information regarding the password like the password begins with a number or it has a certain special character or an alphabet or the password length or the use of a certain alphabet certain number of times or any other information useful for the attacker in narrowing down the permutations and can justify as criteria useful in configuring a mask. Unlike dictionary attacks where the attacker uses lists of all the possible password combinations, a Mask attack is far more specific in nature. The main aim of the hacker in these attacks is to reduce the time taken for cracking a password and also eliminate any extra processing during the procedure of password cracking. The mask attack is one of the most used attacks of all time.
Malware attacks use malicious software and tools such as Keyloggers, screen scrapers, Spywares, etc, that are designed to steal personal data. The tools such are installed on the target device and they run in the background to collect the victim’s activity through keystrokes or screenshots or other methods which is then shared with the attacker. Some advanced malware even searches through a target’s system for password dictionaries or data associated with web browsers. After collecting the data from the target device, a hacker can easily analyze it to retrieve the desired system password.
Password Guessing attack:
If all other attacks somehow fail, a hacker can always try and guess your password because it is based on the predictability of the user. There are tools that provide a combination of strings that are unbreakable but most of the users find it time-consuming and instead choose a password that can be easily remembered. These passwords are often based on things of emotional attachment such as pets or family and an experienced hacker can easily guess this type of password by doing little research about the target. A password guessing attack is the most dangerous kind of attack because the attacker can crack a password without resorting to a dictionary or brute force attacks and thus exploit the user’s data without even being noticed.
Thus, at last, it is very clear that hackers and criminals are always looking for new opportunities to crack your passwords and break-in, making it very crucial to protect each and every account with a unique and strong password and at the same time, it is also important to be well educated about the various types of attacks that you could be prone to.