Before proceeding to Password breaking, you should know about three types of authentication factors
Something I have, like username and password.
Something I am, like biometrics
Something I possess, like registered / allowed devices
Password breaking is that the method of extracting the password to realize authorized access to the target system within the guise of a legitimate user. Usually, only the username and password authentication are configured but now, password authentication is the moving toward two-factor authentication or multiple-factor authentication which includes something you have such as username and password with the biometrics.
Password cracking could also be performed by social engineering attack or cracking through tempering the communication and stealing the stored information. Guessable password, short password, password with weak encryption, a password only containing numbers or alphabets can be brreak with ease. Having a robust lengthy and difficult password is usually an offensive line of defense against these breaking attacks.
Typically, as good password contains: –
Case Sensitive letters
Lengthy password (typically more than 8 letters)
Types of Password Attacks
Password Attacks are classified into the subsequent types: –
Active Online Attacks
Passive Online Attacks
- Non-Electronic Attacks
Non-Electronic attacks or Nontechnical Attacks are the attacks which do not require any type of technical understanding and knowledge. This is the type of attack that can be done by shoulder surfing, social engineering, and dumpster diving. For example, gathering username and password information by standing behind a target when he is logging in, interacting with sensitive information or else. By Shoulder surfing, passwords, account numbers, or other secret information are often gathered depending upon the carelessness of the target.
- Active Online Attacks
Active Online Attack includes different techniques that directly interact with the target for cracking the password. Active Online attacks include: –
- Dictionary Attack
In the Dictionary attack to perform password cracking, a password cracking application is employed along side a dictionary file. This dictionary file contains entire dictionary or list of known and customary words to aim password recovery. This is the only sort of password cracking, and typically , systems aren’t susceptible to dictionary attacks if they use strong, unique and alphanumeric passwords.
- Brute Force Attack
Brute Force attack plan to recover the password by trying every possible combination of characters. Each combination pattern is attempted until the password is accepted. Brute forcing is the common, and basic technique to uncover password.
- Hash Injection
In the Hash injection attack, hashing and other cryptography techniques knowledge is required. In this type of attack,
The attacker needs to extract users log on hashes, stores in Security Account Manager (SAM)
By compromising a workstation, or a server by exploiting the vulnerabilities, attacker gain access to the
Once it compromises the machine, it extracted the log-on hashes of valuable users and
With the help of these extracted hashes, attacker logged on to the server like domain controller to exploit more
- Passive Online Attacks
Passive online attacks are performed without interfering with the target. Importance of those attacks is due to extraction of the password without revealing the knowledge because it obtains password without directly probing the target.
- The most common types of Passive Online Attacks are
Wire Sniffing, packet Sniffing may be a process of sniffing the packet using packet sniffing tools within an area Area Network (LAN). By inspecting the Captured packets, sensitive information and password such as Telnet, FTP, SMTP, rlogin credentials can be extracted. There are different sniffing tools available which may collect the packets flowing across the LAN, independent of the sort of data carrying. Some sniffers offer to filter to catch only certain sorts of packets.
- Man-in-the-Middle Attack
A man-in-the-middle attack is that the sort of attack during which attacker involves himself into the communication between other nodes. MITM attack are often explained as a user communicating with another user, or server and attacker insert himself in between the conversation by sniffing the packets and generating MITM or Replay traffic.
- The following are some utilities available for attempting Man-in-the-middle (MITM) attacks:
Browser Exploitation Framework (BeEF)
In a Replay attack, Attacker capture packets using a packet sniffer tools. Once packets are captured, relevant information like passwords is extracted. By generating replay traffic with the injection of extracted information, attacker gain access to the system
- Default Password
Every new equipment is configured with a default password by the manufactures. It is recommended to change the default password to a unique, secret set of characters. An attacker using default passwords by rummaging through the official website of device manufacturer or through online tools for searching default passwords can attempt this sort of attack. The following are the list of online tools available for searching default password.
Tip :- Change your password just like a toothbrush