Introduction
Passwords have long been the standard for authenticating users to online services. Their use poses significant security risks as passwords can often be easily guessed, cracked via brute force attacks, or stolen in data breaches. Attackers have employed various techniques over the years to undermine password security, from dictionary attacks to malware-based password stealing. This paper aims to provide an overview of common password attacks, the strategies used in each, and defenses that services can employ to better protect users.
Brute Force Attacks
One of the most basic yet effective password cracking methods is the brute force attack. It systematically checks all possible combinations of letters, numbers, and symbols up to a certain length. To execute a brute force, attackers first acquire a password hash database, usually from data breaches. They then use password cracking software to iteratively generate and hash candidate passwords, comparing the results to the target hashes. Once a match is found, the plaintext password is revealed.
Brute force attacks have steadily improved in effectiveness due to advances in computing power over time. Modern GPU-accelerated password crackers can test billions of combinations per second. Services can still thwart brute forcing through hashing algorithms like bcrypt and argon2 that intentionally make password verification slower. Implementing account lockouts after a small number of failed logins also forces attackers to move on to other easier targets. Rate limiting login attempts per IP is another vital defense.
Dictionary Attacks
Rather than testing every possible combination, dictionary attacks attempt passwords derived from words found in standard word lists or dictionaries. Variations are made through appending numbers, special characters, and capitalization. Common passwords, names and personal details are also tried. Dictionary attacks work because many users still select simple passwords which are present in wordlists.
To counter dictionary attacks, services should enforce stronger password policies mandating length, complexity and prohibited common/predicted values. Multi-factor authentication adds an extra layer of security by requiring something physical like a one-time code in addition to a password.Blacklisting commonly cracked passwords obtained from previous breaches can close off many routes to compromise.
Rainbow Table Attacks
Rainbow tables utilize precomputed hashed values stored in easily searchable formats to quickly recover plaintext passwords. Attackers first generate all possible passwords up to a certain length and hash them using the same algorithm as the target system. These hashes along with the original passwords are then ordered and formatted for rapid lookups. When a password hash is obtained, typically from a breach, the attacker simply searches their rainbow table for the corresponding plaintext.
The defense against rainbow tables is choosing hashing algorithms unsuitable for precomputation like bcrypt or argon2. Salting passwords with random strings before hashing also defeats rainbow tables since the salt value would need to be known and pre-hashed for every possible password. Enforcing regular password changes renders precomputed hashes obsolete more quickly.
Keylogging and Screen Scraping
malware-based keylogging records every keystroke in hopes of capturing login credentials. Screen scraping software takes periodic screenshots to locate any visible passwords on webpages. Both are stealthed onto victim machines through social engineering tricks, drive-by downloads or other infection vectors. Captured passwords can then be exfiltrated to the attackers.
Organizations can harden workstations and educate users on secure browsing habits minimizing risk from keyloggers and scrapers. Multi-factor authentication raises the bar significantly since capturing the one-time code requires deeper system access. Periodic password changes as well as unique, long complex passwords for each account minimize damage from such malware. General cyber hygiene like patching, antivirus and firewalls also play a role in reducing infection risk.
Shoulder Surfing
Shoulder surfing involves visually observing users enter login credentials, typically in public places like cafes. Attackers may even use high-powered cameras and zoom lenses from a distance. Defending against shoulder surfing demands user awareness of surroundings along with privacy screens and physical barriers when authentication is required in open areas. Reducing sensitive online tasks done outside secure locations can help avoid many shoulder surfing attempts.
Phishing
Phishing scams impersonating reputed brands and services trick victims into divulging passwords and other private details on fake login pages. Well-crafted phishing emails manage to bypass spam filters while exploiting human tendencies to be helpful. Over 80% of data breaches originate from phishing according to security firm Cofense. Education to identify phishing attempts remains important alongside multi-factor authentication making stolen single credentials less potent. Security awareness training diminishes the effectiveness of increasingly sophisticated phishing lures.
Pretexting
Pretexting involves deceiving customer support into disclosing sensitive login data under the guise of authenticating stolen credentials. With enough personal details of the target gathered through social engineering or public records, phone agents may be convinced to reset passwords or validate one-time codes allowing account takeover. Services must implement stricter identity verification for support requests and warn agents against disclosing credentials over unsolicited calls. Enabling multi-factor sign-in renders pretexting less dangerous even if partially successful.
Conclusion
Passwords remain the weakest link and primary route of many attacks for now. While perfect security may not be realistically achievable, the risks of common password cracking methods can clearly be reduced through prudent technical and policy efforts on the part of online service owners. Enforcing strong unique passwords, multi-factor authentication, account lockouts, rate limiting, password managers and security awareness together form solid lines of defense strengthening the overall security posture. As biometric and behavioral authentications gain ground, possible futures without conventional text passwords seem foreseeable eventually moving beyond their inherent vulnerabilities. Until then, continued improvements are needed to curb the ongoing damage from password leaks, thefts and cracking.
Andrew Stroud