There are literally hundreds of security focused books on the art of cracking passwords and securing your systems. This article will just cover the basics of how your passwords can be exposed to password cracking programs and other methods of gaining access to your accounts.
Since there are numerous topics related to security and passwords in general, I’m going to cover just the basics – how can passwords be cracked or otherwise compromised – without focusing on a specific crack or type of system.
The aim of the article is to better arm you with knowledge about protecting yourself and your computer against these types of threats.
Brute Force Attack
Brute force attacks are one of the simplest ways of attempting to crack a password. In a brute force attack, the attacker simply attempts to “guess" your password. If the first guess fails, it tries a second guess and so on until either they succeed or give up. There are numerous brute force tools out there to crack anything from Office documents to Zip files to Windows Account passwords.
In order to safeguard yourself against brute force attacks use a password longer than 7 characters with a mix of uppercase, lowercase and numbers. The difference between a brute force attack using a decent “consumer" PC is about 4 days for a 7 character password or 253 days for a 8 character password. If you go out to 9 characters it is extremely unpractical for anyone to attempt to brute force crack your password. More info can be found on brute force crack times here: Lockdown.co.uk.
You should also consider using a lockout policy that will lock your user account for a length of time if too many incorrect guesses were made.
A dictionary attack is a form of a brute force attack. The attacker doesn’t know what any parts of your password is, but they make the assumption that all or part of your password is a word. The attacker uses a program to cycle through a large dictionary of words and appends random characters to the dictionary words to attempt to guess your password.
It’s pretty simple to combat dictionary attacks – don’t use names or words in your passwords. One tip I recommend is to come up with a basic phrase and perform letter substitution. For example, if I wanted my password to be “I hate computers", I could substitute the letter “a" with “@", “e" with “3", “o" with “0" and “I" with “1". The new password may be “1 h@t3 c0mput3rs". This makes it relatively easy for you to remember, but makes dictionary attacks impossible.
This article focuses on the different types of methods attackers user to gain access to your password. This page describes security exploits and social engineering and what you can do to protect yourself.
Exploits are programmatic vulnerabilities in a software application. The company that wrote the program wrote it with a security related flaw. Exploits are very real threats. Brute force and dictionary attacks are easily mitigated by using common sense passwords. Exploits on the other hand can only be fixed by patching the vulnerability. For example, Microsoft releases monthly security bulletins and patches to fix and vulnerabilities found in Windows.
The best way to defend against exploits is to ensure you have a firewall installed – this makes it harder for attackers to specifically target your machine via remote attack. The other line of defense is to make sure your system is always patched. If you close the “hole" in your system, even if your firewall fails, you will be protected.
As human beings, our inherent nature is to trust other humans. Social Engineering takes advantage of this trait by doing what you wouldn’t expect – asking for your password or otherwise “tricking" you into giving it out. For example, you may receive an email from your bank stating that there was a recent fraudulent charge. In order to clear it up, you need to go to their website and enter in personal information. The trick here being that the email you received really isn’t your bank and the website they’re asking you to go to isn’t owned by your bank. You’re basically handing over your personal information to the attacker….
Protecting yourself against social engineering is pretty easy – never give out a password via email or phone. Your service providers (banks, ISP, Hotmail, etc.) will never ask you for your password. They have the ability to reset your password – why would they need to ask for it?
Another thing to NOT do is click on any service related emails you receive. If I get a bank statement from my bank via email and I want to check it out further, instead of clicking on the link in the email, I will open a new browser window and will manually browse to the bank’s site. This way I know that I went to the right site….