Password Attacks 101

One of the most common attacks carried out nowadays is related to cracking passwords, but most people probably just know about brute-forcing. There are, in fact, other kinds of attacks around passwords.

Let’s take a look at three kinds of password attacks.

Brute Force Attacks

Brute forcing in its essence is trying many passwords to gain access to an account.

Read the Brute Force Guide

Brute Force Real-life Comparison:

Let’s say that a burglar wants to get the door to your house open, but he can’t find an entry point or another place to break in anywhere. So he goes to the alarm keypad and starts tapping in random codes, hoping one will work eventually.

On a website, attackers can usually try some of the default usernames like admin, administrator, webmaster, etc., and on those usernames they can try a huge number of passwords.

How do attackers get password combinations to use for the attack?

To this effect, there’s several ways they can go. Attackers can use a dictionary that contains several of the commonly used passwords. Or they could get a pre-made dictionary that contains both commonly used passwords and a few generated strings — or they can go straight to generating their own dictionary.

How do attackers generate a brute force password list?

Attackers have several ways to achieve this, but a very commonly used tool is called Crunch. This allows them to select the minimum and maximum number of characters they want the words to have. They can even select which characters they want to limit the words to.

Now, let’s say that a website uses simple passwords with a limit of five characters. Using Crunch, we can generate a list from one character to five characters (this is just for letters):

So, this is a list with just 12,356,630 lines (1 word per line) and will only take 70MB in space to store. That’s quite small.

What if we add special characters and digits into the mix?

A simple addition to the list was generated, and it bumped the size of the list from 70 MB to 62 GB. Makes sense?

Now, what if there are stronger password restrictions for a website and it requires a password longer than eight characters?

Now that we want passwords from eight  to 12 characters, this list has 99,246,106,575,066,880 lines (that’s about 8 billion times the number of lines from the previous list). In terms of space required to save this, list it would take 1,169,818 TB. That’s 1,142 PB (petabytes).

Let’s once again throw digits and special characters into the mix but still make it eight to 12 characters long:

The list size went up by about 10 times. This goes to show how complex characters are just better.

You may now be thinking, “Wow, how do they have so much space to store all that?” Well, instead why don’t you think, “If my password is just slightly bigger and has special characters and numbers, it takes the attackers a lot more effort.”

Let’s go back to  storing said lists. Well, they don’t really need to. The same tool allows them to directly pass the words it generates to another piece of software or script to be used, avoiding the need to save the lists at all.

Brute Force Key Takeaways

Even though the attack is pretty simple to get underway, it’s also easily defeated. Strong password enforcement rules, captchas, flood limits and fail2ban are pretty effective at stopping a brute-force attack, especially when used together.

Brute Force Curiosity

A computer takes about one second to read through a list of passwords with eight characters.

What if a password is 16 characters long? Well, this is how much it can take to brute force that password:

And now with special characters and numbers:

Password Spraying

Now let’s take a look at password spraying. This term is not as known as brute-forcing, but it’s actually quite similar.

Brute-forcing can take many forms, but the essence of it is attempting the largest number of passwords on the smallest number of accounts, or even on a single account.

Password spraying is almost the opposite. It is trying the smallest number of passwords on the biggest number of accounts possible.

Attackers get a list of the most commonly used passwords across the web or even from past intelligence gathered on the target. They then attempt either usernames at random, or they can buy a list of usernames from the dark web or from leak lists.

An important part of password spraying is staying under the radar. This usually implies that there was previous reconnaissance done on the target. For example, if an account gets locked after five wrong password entries, the attempts get limited to  four tries.

So, four passwords are attempted on an account before moving to the next one. It would raise suspicion if all of a sudden all accounts started to be disabled and would hinder the attack’s effectiveness.

Attackers can employ methods that make detection harder, like having access to several VPN’s or using different compromised machines to carry out attacks. They could even try just waiting some time before attempting another password. Although these methods will cause a delay on the total duration of the attack, it makes them harder to spot.

Password Spraying Example

Let’s look at  this with an example. An attacker was planning to carry this out:

First they need to obtain the list of usernames to compromise on the target. They can investigate the target by looking for leaks or checking the dark web for anything related to the target. If nothing is found through these means, attackers can then run a more active search on the target. A way to achieve this is, for example, to use a tool called Maltego. It aggregates data found across the web, with a basic focus of analyzing real-world relationships. Here’s an example of how it looks:

(Image from Maltego’s casefile page)
(Image from Maltego’s casefile page)

An attacker can just tell it what the target is, and Maltego will try to find information about anything related to the target. This includes employees, related servers or services, and anything from social media, etc.

But for this objective the attacker just wants people, more importantly employees. Attackers may be able to find their email addresses, and if not, try to extrapolate it from known ones or even their actual username for the target. So, all the rest attackers can just remove from their scope, at least for now.

Say they  just look for email addresses from the target’s personnel.

(On top of this attackers  could get Twitter accounts, Facebook profiles, tweets sent out, etc. All of this is valuable information, either for the current attacker for other types of attacks)

In the previous image, we can see that the CEO is named Marcus Conrad. If an attacker finds an email from a Marcus, it’s possible that his identity has been discoverd. This is  valuable target information if someone wanted to attempt to compromise his email.

Now there area few email addresses  attackers could use to try the passwords to gain access.

Credential Stuffing

To explain credential stuffing as quickly as possible, it’s using stolen or leaked  credentials to gain access to other services.

Credential Stuffing Example

Say you had one an email address and password  leaked on the web. Attackers try that email and password on several services like Amazon, eBay, etc., then take the first part of the email and try it on other email providers like Yahoo, Gmail, etc.

So if the account you had leaked was fakeaccount@live.com, the attackers would also try the same password at fakeaccount@gmail.com, fakeaccount@yahoo.com, and so on.

This attack is all based on the principle that a normal user will most likely reuse the same password across different accounts and services. This is why it’s very important to use different passwords for every account and service. In case one of them gets compromised and leaked, the risk to any other account is minimized.

Credential stuffing can also be referred to as a credential reuse attack, as both terms can be used to classify this type of attack.

Protecting from password attacks, in short, is to keep your passwords as complex and as long as you can (using a password manager helps a lot with this), keep them unique for each account and service that you use, and keep an eye on public leak monitoring lists like https://haveibeenpwned.com/.

Conclusion

In this post, we tackled the different types of password attacks. Now that you are more familiar with the many threats in the wild, make sure to protect your website and/or server, and to follow password security best practices.

An average user has to keep track of around 20 to 40 passwords, so it becomes very tempting to start writing them down somewhere.

According to the 2019 Data Breaches report by Verizon 29% of all the breaches involved the use of stolen credentials. Because of this, many of the tech companies are making a push towards passwordless logins by making use of, for example, biometrics or something that the user has like a u2f key. This has the effect of not only reducing the risk of passwords but also reduces the prevalence of phishing attacks.

Moving from something that the user knows to something that the user has presents the potential to mitigate most of the risks associated with passwords.

If you want to remain up to date with the latest website security trends, sign up for our blog email feed.

*** This is a Security Bloggers Network syndicated blog from Sucuri Blog authored by Cesar Anjos. Read the original post at: https://blog.sucuri.net/2020/01/password-attacks-101.html