This note is an introduction to the types and techniques used in password attacks. We will discuss the ways to get and generate custom password lists. The following are some of the topics we will discuss:
- Password profiling
- Password attacks techniques
- Online password attacks
What is a password?
Passwords are used as an authentication method for individuals to access computer systems or applications.ย Using passwords ensures the owner of the account is the only one who has access. However, if the password is shared or falls into the wrong hands, unauthorized changes to a given system could occur. Unauthorized access could potentially lead to changes in the systemโs overall status and health or damage the file system.ย Passwords are typically comprised of a combination of characters such as letters, numbers, and symbols.ย Thus, it is up to the user how they generate passwords!
A collection of passwords is often referred to as a dictionary or wordlist. Passwords with low complexity that are easy to guess are commonly found in various publicly disclosed password data breaches. For example, an easy-to-guess password could beย password,ย 123456,ย 111111,ย and much more. Here are theย top 100 and most common and seen passwordsย for your reference. Thus, it wonโt take long and be too difficult for the attacker to run password attacks against the target or service to guess the password. Choosing a strong password is a good practice, making it hard to guess or crack. Strong passwords should not be common words or found in dictionaries as well as the password should be an eight characters length at least. It also should contain uppercase and lower case letters, numbers, and symbol stringsย (ex:ย *&^%$#@).
Sometimes, companies have their own password policies and enforce users to follow guidelines when creating passwords. This helps ensure users arenโt using common or weak passwords within their organization and could limit attack vectors such as brute-forcing.ย For example, a password length has to be eight characters and more, including characters, a couple of numbers, and at least one symbol. However, if the attacker figures out the password policy, he could generate a password list that satisfies the account password policy.
How secure are passwords?
Passwords are a protection method for accessing online accounts or computer systems. Passwords authentication methods are used to access personal and private systems, and its main goal of using the password is to keep it safe and not share it with others.
To answer the question:ย How secure are passwords?ย depends on various factors.ย Passwords are usually stored within the file system or database, and keeping them safe is essential. Weโve seen cases where companies store passwords into plaintext documents, such as theย Sony breachย in 2014. Therefore, once an attacker accesses the file system, he can easily obtain and reuse these passwords. On the other hand, others store passwords within the system using various techniques such as hashing functions or encryption algorithms to make them more secure. Even if the attacker has to access the system, it will be harder to crack. We will cover cracking hashes in the upcoming tasks.