Author Eric Tsang
After analyzing password attacks using my honeypot, one easy thing you can do to protect yourself is to have strong passwords. Anything that you need to sign in to can be a vulnerability. Hackers execute password attacks against authentication systems. Thousands of usernames and passwords were used in attempt to log into the SSH service on my honeypot within minutes of me starting up the service.
There are a few different types of password attacks. The first would be a simple brute force attack. This would be like having a bike lock and manually going through every single possible combination to try to get it open — 0000, 0001, 0002, 0003, etc. The downside of doing a plain brute force attack is that it will take a really long time.
Other types of brute force attacks use automation to speed up the password cracking process.
In a dictionary attack, as its name implies, an attacker tries to guess a password by trying thousands or millions of possibilities — such as words from a dictionary or lists obtained from past security breaches. This type of attack only tries those possibilities which are deemed most likely to succeed. The success of a dictionary attack stems from people having a tendency to choose short passwords that are ordinary words or common words with slight variants — like substituting the letter a with @. One drawback of dictionary attacks is the computational power available because of the large number of attempts.
Another type of brute force password attack uses rainbow tables. The above image shows one type of hash function converting plain text into a MD5 hash. There is a time-space tradeoff using rainbow tables because it is a pre-computed list of hashes for dictionary words or previously breached passwords and stores them in a database using the hash as the key.
The process of composing a rainbow table may take a considerable amount of time, but it only needs to be done once. When it is completed, password hashes can be looked up almost instantly to find the corresponding password. To put things into perspective of the sizes of these databases, some rainbow tables can be 7–9TB in size.
One other type of brute force password attack is password spraying. In the previous type of brute force password attacks there are multiple attempts to gain access to one user’s account using multiple passwords. Contrarily, a spraying password attack uses one password against many different accounts on the applications to circumvent lockout policies from too many failed attempts. This attack is commonly found where the application or admin sets the default password for new users.
Password Attack Tools
Many tools exist for the sole purpose of cracking passwords, both online and offline. Online attacks target remote logon interfaces, like SSH and RDP services. On the other hand, offline attacks occur after files are exfiltrated. Then, the passwords are attacked directly. There are many tools available including John the Ripper, hydra, PACK (Password Analysis and Cracking Kit), CeWL, statsprocessor/hashcat, and Burpsuite.
Hydra is an online password cracking tool that comes native to Kali Linux. It is very fast and flexible network logon cracker, and it is easily customizable with new modules. The good thing for you is that most services should have a lockout threshold giving attackers limited attempts. Since hydra is used as a brute force attack there is a chance it may slow down the service because of the number of requests, and it is definitely detectable.
John the Ripper is a tool used to attack passwords directly, offline. This usually occurs post exploitation after files with passwords have been exfiltrated. It autodetects password hash types and can be run against various encrypted password formats.
Tools like PACK, CeWL, and statsprocessor don’t crack passwords directly, but assist in password cracking by compiling wordlists. These wordlists can then be used by programs such as hydra or John the Ripper to crack passwords.
Defend Yourself with Strong Passwords!
As you can see, there are many means of attacks an attacker can use to obtain your passwords. Attackers can gain access to valuable information you wouldn’t want other people to have.
Since most password attacks require brute force, the easiest thing you can do is to have a lockout threshold after a certain amount of failed attempts. This will essentially negate the large number of attempts to log into the account.
Use different passwords for EVERYTHING. This may seem like a pain, but think about it this way — if an attacker gains access to one of your accounts they will most likely try that same password for other accounts you may own. I was guilty of using repeat passwords for multiple sites until I started using a password manager. Password managers will randomly generate strong passwords and store them securely. As a result, you only have to remember one strong password to get access to all of your other passwords.
Keeper is the password manager that I use. A good practice for good passwords is to have long passwords, 15–20 characters long, and include at least one upper case letter, one lower case letter, one special character, and one number. With Keeper I can randomly generate a password to the length of my choosing, 8–100 characters, and provides an option if you want letters, symbols, and numbers. Having a password manager makes securing your passwords easy. Circling back to lockout attempts, I have a setting on Keeper that will self destruct and destroy all my stored passwords if I fail logging in more than 5 times.
I’m going to wrap things up by briefly discussing multi-factor authentication. As the name suggests, it requires more than one method of authentication to log on. The three factors include something you are, something you know, and something you own. Set up MFA when possible to add an extra layer of security to your digital assets.
Something you know: your password, pin number, mother’s maiden name
Something you own: badge, token, key fob, sim card, mobile authentication with single sign on code or authenticator code
Something you are: fingerprint scan, voice authentication, retina scan, facial recognition
Having MFA adds security because even if the password is compromised, the attacker will likely not have the other means of authenticating access.
In summary, the threat of having your passwords stolen and accessed is very real. For many attackers, gaining privileged information of others is their main job so if they want it bad enough, they’ll probably get it. Follow the simple tips provided to ensure that you make it as difficult as possible for attackers to gain access into your accounts. It’s the little things you do for security that add up to having good security posture.
About the Author: Eric Tsang is a transitioning professional who is passionate about cyber security. He is constantly looking to learn and spur conversations around cybersecurity He writes blogs to document his process and try to help educate others.