Seminar Report

On
Password Attack
In partial fulfillment for the award of the degree
Of
BACHELOR OF COMPUTER APPLICATION
[B.C.A]
Year 2023-2024

SUBMITTED BY: GUIDED BY:

Meet Bhatiya Asst. Prof. Anahita Pithawala

BCA-6th SEMESTER
Submitted to:

SHRI SHAMBHUBHAI V. PATEL COLLEGE OF

COMPUTER SCIENCE & BUSINESS
MANAGEMENT
Affiliated to

Veer Narmad South Gujarat Universit

History of Password attack
 In 1920s, Speakeasies, also known as “blind pigs” and “gin joints”
ranged from fancy clubs to dirty backrooms and basements.
During Prohibition, they were all the rage. The passwords used
are lost to time, but access to a speakeasy could be gained by
speaking the password softly (speak it easy, thus speakeasy), a
secret handshake or knock, or membership card.
 In 1944,following D-Day, English-speaking Allied personnel in
Europe used a challenge-response process, which acted as a
password system and a vetting system. The first person would call
out FLASH and wait for the response of THUNDER, from the
second person. This was followed by WELCOME, which was to be
stated by the first person after receiving the challenge / response.
The words were chosen because Germans speaking English had
trouble with words using w-sounds.
 In 1960,first password used at Massachusetts Institute of
Technology, for the Compatible
Time-Sharing System (CTSS).
This enabled users to have their
own set of files on a single
console, which was connected
to a shared mainframe.
Corbató told the Wall Street
Journal in an interview that
passwords became sort of a nightmare with the World Wide Web.
 In 1962, first password-based data breach happens when CTSS
passwords are printed out and shared. Ph.D. candidate Alan
Scheer printed out the passwords to get more time on the CTSS
to run research simulations.
 In 1974, Robert Morris
develops one-way encryption
translating passwords into
numbers,a process known as
hashing.Thisprocess is still used
today.
 In 1979, Robert Morris and Ken Thompson coin the term “Salt”.
Salting a password means adding random characters to a stored
password, making them harder to crack. This is also something
that is still used today.
 In 1990, Nearly 50% of all data breaches involved stolen
credentials (Verizon DBIR, 2022), but common passwords are a
problem too. Passwords of five
(5) and six (6) characters were
common. Among the 10,000
most common passwords,
you’ll find such gems as
123456, password, qwerty,
letmein, shadow, baseball,
football, dragon, 123321, and abc123.
 AT&T invented and patented two-factor authentication in 1995,
and the patent was granted in 1998.
 In 2000, As technology
advances, and criminals take
to cracking passwords
compromised during a data
breach, the trend to lengthen
passwords starts to take off.
 In 2010, Two-factor (2FA) is
followed by Multifactor authentication (MFA). MFA is broken
down into three core elements; something you know (password),
something you have (your phone or an MFA token, smart card,
etc.), and something you are (biometrics). There a fourth option,
based on location, which is sometimes used by vendors, including
Duo.
 2FA and MFA become increasingly adopted mostly to the
explosion of data breaches that exposed passwords. These data
breaches are particularly harmful as passwords were often
recycled and reused across multiple websites and services (this
still happens today!)
 In 2020, You need a password
length of about 12 to 18 characters
or longer to stay ahead of the curve.
Password managers are becoming
increasingly handy tools to help
humans manage complexity.
 In 2022, an eight (8) character
password comprised of upper and
lowercase letters, numbers, and
symbols, can be cracked, and fully
exposed in about 39 minutes.
Passwords of the same complexity,
but shorter than 8 characters can be cracked in seconds, or
instantly.
 In the future :- The future is a passwordless one. Authentication
in the future will focus on
what you know, what you
have, what you are, where you
are (contextual), and how you
act (behavioral) – also known
as Risk Based Authentication,
and Continuous Trusted
Access.
 Introduction

 A password attack is any attempt to exploit a vulnerability in user

authorization within a digital system. And just as there are a near-infinite
number of possible passwords, there are many different methods that a
cybercriminal may employ to maliciously authenticate into a secure
account. But in every case, the cybercriminal’s goal is the same: taking
advantage of vulnerable passwords to get into a system where they can
then compromise sensitive data.
 Password cracking is one of the imperative phases of the hacking
framework. Password cracking
is a way to recuperate
passwords from the
information stored or sent by a
PC or mainframe. The
motivation behind password
cracking is to assist a client
with recuperating a failed
authentication or recovering a password, as a preventive measure by
framework chairmen to check for effectively weak passwords, or an
assailant can utilize this cycle to acquire unapproved framework access.

 Types of Password Attacks :

 Password cracking is consistently violated regardless of the legal

aspects to secure from unapproved framework access, for instance,
recovering a password the customer had forgotten etc. This hack
arrangement depends upon aggressors exercises, which are ordinarily
one of the four types:
1. Non-Electronic Attacks –
This is most likely the hacker’s first go-to to acquire the target
system password. These sorts of password cracking hacks don’t
need any specialized ability or information about hacking or
misuse of frameworks. Along these lines, this is a non-electronic
hack. A few strategies used for actualizing these sorts of hacks
 are social engineering, dumpster diving, shoulder surfing, and so
forth.
2. Active Online Attacks –
This is perhaps the most straightforward approach to acquire
unapproved manager-level mainframe access. To crack the
passwords, a hacker needs to have correspondence with the
objective machines as it is obligatory for password access. A few
techniques used for actualizing these sorts of hacks are word
reference, brute-forcing, password speculating, hash infusion,
phishing, LLMNR/NBT-NS Poisoning, utilizing
Trojan/spyware/keyloggers, and so forth.
3. Passive Online Attacks –
An uninvolved hack is a deliberate attack that doesn’t bring about
a change to the framework in any capacity. In these sorts of
hacks, the hacker doesn’t have to deal with the framework. In
light of everything, he/she idly screens or records the data
ignoring the correspondence channel to and from the
mainframe. The attacker then uses the critical data to break into
the system. Techniques used to perform passive online hacks
incorporate replay attacks, wire-sniffing, man-in-the-middle
attack, and so on.
4. Offline Attacks –
Disconnected hacks allude to password attacks where an
aggressor attempts to recuperate clear content passwords from a
password hash dump. These sorts of hacks are habitually dreary
yet can be viable, as password hashes can be changed due to
their more modest keyspace and more restricted length.
Aggressors utilize preprocessed hashes from rainbow tables to
perform disconnected and conveyed network hacks.

 A password attack refers to any of the various methods used to

maliciously authenticate into password-protected accounts. These
attacks are typically facilitated through the use of software that
expedites cracking or guessing passwords. The most common attack
methods include brute forcing, dictionary attacks, password spraying,
and credential stuffing.
 Brute forcing is the attempt to guess a password by iterating through all
possible combinations of the set of allowable characters.
 Dictionary attacks try to guess passwords by iterating through commonly
used passwords, such as words found in the dictionary and simple
variations on them.
 Rather than trying multiple passwords against one account, password
spraying tries a small number of common passwords against many
accounts in hopes of accessing at least one of them. This method helps
avoid account lockout rules and is more difficult to detect.
 Cyber threat actors exploit end users’ tendency to reuse passwords
through credential stuffing. This involves utilizing breached usernames
and passwords to attempt (or “stuff”) a large number of login requests
into a different website in hopes that some users have reused the
breached usernames and passwords.
 These are the most common “front end” attacks, in which malicious
actors try to compromise accounts through login portals. There is
another set of attacks that go after the password storage. As attackers
often choose the path of least resistance, it’s critical to protect against
both types.
 Password attacks perennially top the list of data breach attack vectors.
While they are relatively easy and low cost to mitigate, many
organizations do not have properly implemented safeguards. Even when
organizations implement (MFA), passwords typically serve as one of the
factors. Furthermore, malicious actors typically compromise accounts in
order to facilitate other consequences, such as data exfiltration,
facilitated phishing, or the introduction of malware onto networks.
 In order to protect your organization from password attacks, election
officials should work with their security staff to implement the password
guidance in the National Institute of Standards and Technology’s Special
Publication 800-63B Digital Identity Guidelines, Authentication and
Lifecycle Management. This guidance details requirements for passwords
that can render the attacks above inefficient or ineffective, methods for
the proper storage of passwords, and strategies aimed at defending
against password attacks. Well-created and well-protected passwords
afford a limited amount of protection. Use MFA to protect all sensitive
accounts and information.
There are three types of password attacks:

o Non-electric attacks
o Online attacks
o Offline attacks

1) Non-electric attacks
A non-electric attack is a type of attack that uses chicanery to get sensitive
information of users or perform actions through which the security of a
network will be compromised. Non-electric attacks are as follows:

Social Engineering
Social engineering is the process in which a user is tricked into believing that
the hacker is a legitimate agent. The hacker uses a common tactic. Hacker
poses as technical support and calls a victim. Hackers ask for a network access
password so that he can provide assistance. If the person has done this using
fake credentials and fake uniforms, this technique will become effective. But
these days, this technique is less common.

Hackers can be highly lucrative and highly convincing if social engineering

attacks successful. For example, a hacker had hacked $201,000 from a UK-
based energy company by tricking the CEO of the company with an AI tool that
mimicks his assistance's voice.

Shoulder Surfing
Shoulder attacks are performed by the most confident hackers. The hacker can
take the look of an aircon service technician, parcel courier or anything else so
that they can easily access an office building. Once they entered the office,
they will get a kind of free pass, and they can note the passwords that are
entered by the staff members of the company.

The Brazen example includes hackers who distinguish themselves so that they
can gain access to the company sites. To grab the sensitive information,
documents and passwords, they look over the employee's shoulders. This
attack mostly affects the smaller business.
Recently the security experts get some vulnerability in the process of
authentication used by WhatsApp. If the user takes a new device and wants to
use Whatsapp, he has to enter a unique code that is sent on the number via
text message. By using that code, the account of a user can be restored, and
the chat history can also be retrieved from the background. It was found that if
an attacker knows the phone number of a user, they can download Whatsapp
on a new device, and after downloading, they issue a prompt for a new code. If
the hacker uses a spying device, they can copy the code as it arrives on the
user's own device.

Spidering
The techniques which are used in phishing attacks and social engineering
attacks are also used in spidering. Savvy hackers have understood that the
passwords used in the corporate office are made of business-related words. In
the brute force attack, the custom words list is built by Website sales material,
listed customers on websites, studying corporate literature, and website of
competitions. The process is automated by really savvy hackers.

Using spidering, a hacker knows their target and based on the target's activity;
they can get the credentials. For example, many companies set their internal
service password related to their business so that their employees can easily
remember them. If a hacker targets a company and knows their works, they
may try and access their networks or handbooks of their employee to further
their understanding. Hackers can also create a list of all possible combinations
of words by studying the products that the company creates. That list can be
further used in brute force attacks.

2) Online attacks
Active online attacks can be categorized as follows:

Guess
Guess is like a best friend of password cracker. If all the attacks fail, the hacker
can try to guess your password. These days, there are various password
managers who create various password strings that are impossible to guess for
a hacker. Many users set a random password based on their memorable phase
of life like family, interests, pets, dob, hobbies, and so on. The password can
also be based on things that you like to chat about on social networks, and the
things can also include in your profile. When the password crackers attempt to
get a customer-level password, they will look at this information and make a
guess based on the available information on social networks. If you want to
protect yourself from guess, you should use a password manager and maintain
password hygiene. Many password managers are free so that you can use
them.

Brute Force attack

In the Brute force attack, we access a system using the different methods of
hacking, which involves password guessing. For example, a hacker can use the
relevant clues and guess the person's password. Many people use the same
password on many sites. Using the previous data breaches, so the password
can be exposed using the previous data breaches. Using some most commonly
used passwords, a hacker attempts to guess the associated username, which is
the reverse brute force attack.

Dictionary attack
This attack shows a sophisticated brute force attack example. In the Dictionary
attack, an attacker uses a dictionary that contains words. The words are
nothing but a straightforward name. In other words, the attacker uses the
words that most of the users use as their password. In dictionary attacks, every
word in the dictionary is a test in seconds. Most of the dictionary contains the
credentials gained from previously hacked passwords. Dictionary also contains
the word combinations and most commonly used passwords.

A hacker knows all the clever tricks. So if the user groups the works like
"superadministratorguy" or "bestmommy", it will not prevent the password
from a hacker. It will only increase a few extra seconds to being hacked. Many
people use their memorable phrases like gf name, dob, bf name and so on as
their password and dictionary attack takes advantage of this fact. That's why
while creating the password system urges the user to enter multiple character
types.

Phishing
Phishing is a very easy way to hack the password of any user. In this attack, the
hacker asks the user to enter his password. In the phishing email, a hacker sent
the fake login page to the unsuspected user, which is associated with any
service, the hacker wants to access. The page requests the user to write some
terrible problem which he finds in their security. After that, the page skims
their password. Now the hackers can use that password to get the sensitive
information of the user. When the users are giving you a password happily,
then why will you trouble to crack the passwords.

Malware
The Umbrella of malware contains a host of malicious tools, screen scrapers,
and keyloggers. To steal the person's information, these malicious software are
used. Ransomware software, which is highly disruptive malicious software,
attempts to block the access of the entire system. The malware families have
some highly specialized malware that specially targets the password.

The activity of a user is recorded by Keyloggers and their ilk. Keyloggers can
record it through screenshots or keystrokes and then shared it with the
attacker. Some malware attacks hurt the existence of the web browser's client
password file. If the file is not properly encrypted, the hacker can easily access
the saved password from the browser history of the user.

3) Offline attacks
Offline attacks are as follows:

Offline Cracking
We should remember that not all attackers hack through the internet
connection. Mostly works done offline. You imagine that through the blocking
automated guessing application, your password is safe. In this application, if a
user enters the wrong passwords three or four times, the system lockout the
user. This process will be true if all password hacking takes place online, but it's
not. Offline hacking takes place using the hashes set in the password file, which
was obtained from a compromised system.

Through the hack on the third party, the target compromises. They provide
access to the hash file of the user's password and system server. Now the
hacker can take time to try and access the code without knowing the individual
user or target system. When the initial attack succeeds, this attack will be
done, whether hackers access a database by the stumbling or by the SQL
injection attack or gain elevated privileges upon an unprotected server.

Rainbow table attack

As the name implies, the rainbow table is not colorful. The password is
encrypted using cryptographic alias or hash whenever it is stored on the
system. This encryption makes it impossible for a hacker to determine the
original password. To bypass this, the hacker must maintain and share the
directories built from previous hacks containing passwords and their
corresponding hashes. This process reduces the time of hackers breaking into
the system.

The Rainbow table is one step further from the rainbow. Rainbow provides
password and hash, but the rainbow table uses the hash algorithm and
provides the list of all possible encrypted password's pain text versions. If the
hacker discovers any encrypted password in a company system, they can
compare this encrypted password with the list provided by the rainbow table.
Before the attack takes place, if most of the computation is done, launching an
attack will become quicker and easier as compared to other methods.

Network Analyzers
Network analyzers are the type of tools that allows monitor and intercept the
package, which is sent over the network. The package contains a plain text
password, and that tool lifts that password.

Without the malware, an attacker cannot access the physical network. The
network analysis does not rely on exploiting network bugs and system
vulnerability. In any attack, the first phase is network analyzers followed up
with brute force attacks.

We can also use the same tools in our business to scan our network, which is
useful for troubleshooting and running diagnostics. Using these tools, the
admin can find out the information which is transmitted as plain text. He can
put policies in place of information and prevent this from happening. If you
route your traffic through a VPN (Virtual private network), you can prevent
yourself from this attack.

Mask attack
This attack is specific in its scope. In a mask attack, the guess is based on
numbers or characters. For example, if a password starts with a number and
the hacker knows about it, they can tailor the mask to try only those types of
passwords, which start with numbers. Some criteria to configure the masks are
special character, the arrangement of character, number of a repeated single
character, password length, etc. The goal of mask attack is to remove the
unnecessary characters and reduce the time while cracking a password.

 Below are some of the highlights of the NIST password guidance.

The guidance explains implementation in much greater detail for
your technical staff:

 Encourage the use of passphrases rather than passwords by allowing

whitespace and long (at least 64 characters) passphrases. Passphrases
should be a minimum length of 15 characters.
 If you require a passphrase of 15 or more characters, there is no need to
require composition rules, such as upper and lower-case letters,
numbers, or special characters. This blog post explains why passphrases
are better for both usability and security.
 Neither passwords nor passphrases alone should ever be used to protect
sensitive information. For anything sensitive or of substantial value to
your organization, protect user accounts with MFA.
 Rather than having a set expiration on passwords force changes only
when there is a reason to believe there was a compromise. To avoid
issues of password reuse, check against previous breach data when
users create their passphrases.
 Do not allow password “hints.”
 Allow paste functionality in password fields so users can use password
managers. Consider issuing password managers to your users.
 Properly salt and hash stored passwords.

 Some of the best practices protecting against password

cracking include :

1. Perform data security reviews to screen and track password

assaults.
2. Try not to utilize a similar password during the password change.
3. Try not to share passwords.
4. Do whatever it takes not to use passwords that can be found in a
word reference.
 5. Make an effort not to use clear content shows and shows with
weak encryption.
6. Set the password change technique to 30 days.
7. Try not to store passwords in an unstable area.
8. Try not to utilize any mainframe’s or PC’s default passwords.
9. Unpatched computers can reset passwords during cradle flood or
Denial of Service assaults. Try to refresh the framework.
10.Empower account lockout with a specific number of endeavors,
counter time, and lockout span. One of the best approaches to
oversee passwords in associations is to set a computerized
password reset.
11.Ensure that the computer or server’s BIOS is scrambled with a
password, particularly on devices that are unprotected from real
perils, for instance, centralized servers and PCs.

 Here's a breakdown of password attacks:

 The Why: Why do attackers target passwords? Because passwords are

often the first line of defense for protecting sensitive information. Once
a password is compromised, a hacker can access emails, bank accounts,
social media profiles, and more.
 The Methods: Hackers have a toolbox of techniques for password
attacks. Here are some common ones:
o Brute-Force Attack: This method systematically tries every
possible combination of characters until the password is guessed.
It's slow for complex passwords but can be effective for weak
ones.
o Dictionary Attack: This approach tries common words, phrases,
and variations found in dictionaries or leaked password lists.
o Password Spraying: Hackers attempt a small set of common
passwords against a large number of usernames, hoping to gain
access to some accounts.
o Credential Stuffing: Attackers use usernames and passwords
stolen from previous data breaches to try logging into other
accounts.
o Phishing: This social engineering trick deceives users into
revealing their passwords on fake login pages.
 The Impact: Successful password attacks can have serious
consequences. They can lead to:
 o Identity Theft: Attackers can steal personal information and use it
for fraudulent purposes.
o Data Breaches: Compromised passwords can expose sensitive
data belonging to individuals or organizations.
o Financial Loss: Hackers can steal money from bank accounts or
use stolen credit cards to make unauthorized purchases.

Understanding password attacks is crucial for protecting yourself online. In

the next step, we can discuss how to create strong passwords and defend
against these attacks.

Secure Your Business against the Most Insidious Password Attacks

being Used Today
Since the earliest days of computing, passwords have been the go-to method
for securing sensitive data and restricting system access. Now, nearly every
digital account, tool, system, and even many websites require that users log in
with unique profiles and passwords before they’re allowed to proceed. It’s the
world we live in, it’s nothing new, and most of us have come to accept it.

But even if our reliance on passwords has remained consistent, the threats to
password security have not. Today, passwords are more vulnerable than
ever; passwords and credentials were exploited in 81% of company data
breaches in 2020, making password attacks the most-commonly-used threat
vector for cyber criminals to gain access to otherwise-secure systems. To
combat these mounting threats, system administrators around the world have
enacted stricter and stricter password requirements. But while longer
password lengths and the inclusion of special characters may make a password
more difficult to crack, it also makes it more difficult to use.

The end result? Frustrated employees who take their own steps to make
password management more manageable. Unfortunately, by reusing
passwords, creating easy-to-remember (and easy-to-guess) passwords, and
saving password information in insecure areas, these users are putting
themselves, their companies, and others at risk.

Here, we take a look at password attacks, what common types and categories
you need to be aware of, and how you can protect your vital data in an era
where traditional approaches to passwords may no longer be effective.
 Example :-
 One of the most prevalent password attacks involves attackers
convincing the victim that their account will be deactivated if their login
credentials aren't verified.
 The attacker sends phishing emails to users, alerting them that their
account has been compromised and that their credit card and login
information are required to keep the account open. The email contains a
link that looks identical to the legitimate website, but leads to the
hacker's malicious website. When the victim clicks on this link, they are
routed to a fake confirmation screen where they enter their valid login
credentials. The hacker then steals the victim's credentials and uses
them to access their legitimate account.

Types Of Password Attack

1. Phishing
Phishing is when a hacker posing as a trustworthy party sends you a fraudulent
email, hoping you will reveal your personal information voluntarily. Sometimes
they lead you to fake "reset your password" screens; other times, the links
install malicious code on your device. We highlight several examples on the
OneLogin blog.

Here are a few examples of phishing:

 Regular phishing. You get an email from what looks like

goodwebsite.com asking you to reset your password, but you didn't read
 closely and it's actually goodwobsite.com. You "reset your password"
and the hacker steals your credentials.
 Spear phishing. A hacker targets you specifically with an email that
appears to be from a friend, colleague, or associate. It has a brief,
generic blurb ("Check out the invoice I attached and let me know if it
makes sense.") and hopes you click on the malicious attachment.
 Smishing and vishing. You receive a text message (SMS phishing, or
smishing) or phone call (voice phishing, or vishing) from a hacker who
informs you that your account has been frozen or that fraud has been
detected. You enter your account information and the hacker steals it.
 Whaling. You or your organization receive an email purportedly from a
senior figure in your company. You don't do your homework on the
email's veracity and send sensitive information to a hacker.

To avoid phishing attacks, follow these steps:

 Check who sent the email: look at the From: line in every email to
ensure that the person they claim to be matches the email address
you're expecting.
 Double check with the source: when in doubt, contact the person who
the email is from and ensure that they were the sender.
 Check in with your IT team: your organization's IT department can often
tell you if the email you received is legitimate.

2. Man-in-the-Middle Attack
Man-in-the middle (MitM) attacks are when a hacker or compromised system
sits in between two uncompromised people or systems and deciphers the
information they're passing to each other, including passwords. If Alice and
Bob are passing notes in class, but Jeremy has to relay those notes, Jeremy has
the opportunity to be the man in the middle. Similarly, in 2017, Equifax
removed its apps from the App Store and Google Play store because they were
passing sensitive data over insecure channels where hackers could have stolen
customer information.

To help prevent man-in-the-middle attacks:

 Enable encryption on your router. If your modem and router can be

accessed by anyone off the street, they can use "sniffer" technology to
see the information that is passed through it.
 Use strong credentials and two-factor authentication. Many router
credentials are never changed from the default username and password.
If a hacker gets access to your router administration, they can redirect all
your traffic to their hacked servers.
 Use a VPN. A secure virtual private network (VPN) will help prevent man-
in-the-middle attacks by ensuring that all the servers you send data to
are trusted.

3. Brute Force Attack

If a password is equivalent to using a key to open a door, a brute force attack is
using a battering ram. A hacker can try 2.18 trillion password/username
combinations in 22 seconds, and if your password is simple, your account could
be in the crosshairs.

To help prevent brute force attacks:

 Use a complex password. The difference between an all-lowercase, all-

alphabetic, six-digit password and a mixed case, mixed-character, ten-
digit password is enormous. As your password's complexity increases,
the chance of a successful brute force attack decreases.
  Enable and configure remote access. Ask your IT department if your
company uses remote access management. An access management tool
like OneLogin will mitigate the risk of a brute-force attack.
 Require multi-factor authentication. If multi-factor authentication (MFA)
is enabled on your account, a potential hacker can only send a request to
your second factor for access to your account. Hackers likely won't have
access to your mobile device or thumbprint, which means they'll be
locked out of your account.

4. Dictionary Attack
A type of brute force attack, dictionary attacks rely on our habit of picking
"basic" words as our password, the most common of which hackers have
collated into "cracking dictionaries." More sophisticated dictionary attacks
incorporate words that are personally important to you, like a birthplace,
child's name, or pet's name.

To help prevent a dictionary attack:

 Never use a dictionary word as a password. If you've read it in a book, it

should never be part of your password. If you must use a password
instead of an access management tool, consider using a password
management system.
 Lock accounts after too many password failures. It can be frustrating to
be locked out of your account when you briefly forget a password, but
the alternative is often account insecurity. Give yourself five or fewer
tries before your application tells you to cool down.
 Consider investing in a password manager. Password managers
automatically generate complex passwords that help prevent dictionary
attacks.
5. Credential Stuffing
If you've suffered a hack in the past, you know that your old passwords were
likely leaked onto a disreputable website. Credential stuffing takes advantage
of accounts that never had their passwords changed after an account break-in.
Hackers will try various combinations of former usernames and passwords,
hoping the victim never changed them.

To help prevent credential stuffing:

 Monitor your accounts. There are paid services that will monitor your
online identities, but you can also use free services like
haveIbeenpwned.com to check whether your email address is connected
to any recent leaks.
 Regularly change your passwords. The longer one password goes
unchanged, the more likely it is that a hacker will find a way to crack it.
 Use a password manager. Like a dictionary attack, many credential
stuffing attacks can be avoided by having a strong and secure password.
A password manager helps maintain those.
6. Keyloggers
Keyloggers are a type of malicious software designed to track every keystroke
and report it back to a hacker. Typically, a user will download the software
believing it to be legitimate, only for it to install a keylogger without notice.

To protect yourself from keyloggers:

 Check your physical hardware. If someone has access to your

workstation, they can install a hardware keylogger to collect information
about your keystrokes. Regularly inspect your computer and the
surrounding area to make sure you know each piece of hardware.
 Run a virus scan. Use a reputable antivirus software to scan your
computer on a regular basis. Antivirus companies keep their records of
the most common malware keyloggers and will flag them as dangerous.

Preventing Password Attacks

Whether casting a large net or directly targeting a single user, attackers have
many tried-and-true options for stealing passwords. The good news is that
there are actions your organization can take to defend your vital user
credentials and login information from malicious threats.

In essentially every case, preventing a breach is easier and more effective than
attempting to deal with one after the fact. Training employees in security best
practices particularly where passwords are concerned is perhaps the most
vital, most powerful step you can take towards securing your systems. When
authorized users are aware of the threats and committed to doing their part to
counter them, then the risk of password theft decreases significantly.

The best way to fix a password attack is to avoid one in the first place. Ask
your IT professional about proactively investing in a common security
policy that includes:
 Create complex passwords

This may seem obvious, but creating strong, reliable passwords is essential
to protect your data. Reusing passwords or creating basic phrases could
make you susceptible to cyberattacks, such as password spraying,
credential stuffing, and more.

 Change passwords routinely

Making a routine of changing your passwords can help keep password

crackers guessing. For accounts holding medical and/or financial details, try
switching things up every two or three months. Other than that, six months
to a year is a good timetable. Even if a cybercriminal is able to get close to
cracking your password, they’ll have to start over once you change it.

 Multi-factor authentication :-Using a physical token (like a Yubikey) or a

personal device (like a mobile phone) to authenticate users ensures that
passwords are not the sole gate to access.

 Remote access :- Using a smart remote access platform like OneLogin

means that individual websites are no longer the source of user trust.
Instead, OneLogin ensures that the user's identity is confirmed, then logs
them in.
 Biometrics:- A malicious actor will find it very difficult to replicate your
fingerprint or facial shape. Enabling biometric authentication turns your
password into only one of several points of trust that a hacker needs to
overcome.

 Consider a password manager

 Password managersare great for people looking to add a little
organization to their Cyber Safety. Aside from being able to save all the
passwords you create, it can also give password recommendations if you
are creating a new account.

 Download antivirus software

Antivirus software can help if a password hacker ever tries to install

malicious spyware or keyloggers onto your device. If the security software
detects a threat, it can diagnose and attempt to remove the virus.

Now that you know the types of password attacks and how to avoid them,
the next step in your cybersecurity journey may be learning how to create
a hack-proof password on your own. Regardless, with these skills at your
disposal, your passwords could potentially help protect against any
password attack that comes your way.
 Advantages of password attack

There are actually no real advantages to a password attack, as they are

inherently malicious activities. However, we can discuss why attackers use
them and the potential benefits they hope to achieve:

 Gaining Unauthorized Access: This is the primary goal of a password

attack. Once a password is cracked, attackers can access systems, steal
data, or impersonate legitimate users.
 Financial Gain: Attackers often target financial accounts such as bank
accounts or credit cards. Stolen passwords can be used to steal money
directly or used for fraudulent purchases.
 Disruption and Destruction: Some attackers aim to disrupt operations or
cause damage. By compromising accounts, they can delete data, spread
misinformation, or launch denial-of-service attacks.
 Espionage: In some cases, attackers target passwords to steal sensitive
information for espionage purposes. This could be corporate secrets,
government data, or personal information used for blackmail.
 Identity Theft: Stolen passwords can be used to steal someone's
identity. This can allow attackers to open new accounts, take out loans,
or damage someone's credit score.

It's important to remember that password attacks are illegal and unethical. If
you're interested in learning more about ethical hacking techniques used for
penetration testing to improve system security, I can provide some resources
on that topic.
 Disadvantagesof password attack :-

For the Attacker:

 Low Success Rates: Cracking complex passwords can be very time-

consuming and require significant computing power. Brute-force attacks
might not succeed at all, and social engineering attempts can be
thwarted by users practicing good cyber hygiene.
 Detection and Prevention: Many systems have security measures in
place to detect and stop password attacks. This includes limits on login
attempts, requiring multi-factor authentication (MFA), and having
intrusion detection systems. A failed attack can alert security and lead to
the attacker's IP address being blocked.
 Legal Repercussions: Password attacks are illegal activities. If caught,
attackers face serious legal consequences, including fines and even jail
time.

For the Victim:

 Loss of Data and Privacy: A successful attack can expose sensitive data
like financial information, personal details, or confidential documents.
 Financial Loss: Attackers can steal money directly from bank accounts or
use stolen credit cards for unauthorized purchases.
 Identity Theft: Stolen passwords can be used for identity theft, allowing
attackers to impersonate the victim and cause significant financial and
personal damage.
 Disruption and Downtime: Password attacks can disrupt operations and
cause system downtime. This can be particularly damaging for
businesses that rely on online systems.
 Reputation Damage: Data breaches caused by password attacks can
damage an organization's reputation and erode customer trust.

Additional Disadvantages:

 Widespread Damage: Credential stuffing attacks, which exploit leaked

passwords from previous breaches, can impact a large number of victims
at once.
  Escalation of Attacks: A successful password attack can be a stepping
stone to more serious attacks on systems or networks.
 Psychological Impact: Victims of password attacks can experience
feelings of stress, anxiety, and even fear.

By understanding these disadvantages, we can emphasize the importance of

strong password security practices and stay vigilant against these malicious
attempts.
For creating a strong password: What to avoid?

 Do not use common passwords: Avoid using passwords like

“password,” “asdfgh,” “123456”, “qwerty,” “admin,” or anything that
is too obvious or commonly used.
 Do not use personal information: Avoid using personal information
like your name, birthdate, address, or any other identifiable
information that can be easily obtained or guessed.
 Do not use dictionary words: Avoid using words that can be found in
a dictionary, as automated password-cracking tools can easily guess
these.
 Do not use common character substitutions: Avoid using common
substitutions like replacing “o” with “0”, “a” with “@", or “s”
with “$”, as these are predictable and can also be easily guessed by
automated password cracking tools.
 Do not use the same passwords: Avoid using the same password
across multiple accounts, as this makes it easier for an attacker to
access all your accounts if they manage to crack one password.
 Do not use short passwords: Avoid using passwords that are
extremely short, as they can be easily brute-forced by automated
tools. It is generally recommended to use passwords of at least 12
characters long.
References :-

 Google
 Youtube
 https://www.javatpoint.com
 https://www.pivotpointsecurity.com
 https://newsroom.cisco.com
 https://us.norton.com