How malicious hackers use brute force/dictionary attacks
How malicious hackers use brute force/dictionary attacks
Brute force and dictionary attacks cannot be directly used to hack to your Facebook or Snapchat password since these are highly secure websites that use extensive security measures to prevent this type of attacks.
Instead, malicious hackers exploit another common Internet user mistake: reusing the same password.
A smart cybercriminal will simply target other sites and services the victim uses. Some of these will surely have weak security measures that allow the hacker to launch a brute force attack on the login page.
If the attack is successful, then it’s safe to assume the cybercriminal can hack into the victim’s other accounts, including the ones made at banks or shopping sites.
All because he used the same password over and over again.
How to prevent a dictionary/brute force hacking attack
Thankfully, it’s easy to protect yourself against a password guessing attack. Here are some basic tips you should when it comes to managing your password:
- Make sure you have a strong password. This means you should include a capital letter, a number and a special character. Make sure it’s at least 10 characters long.
- Don’t reuse the same password for all of your accounts. To cut down on the amount of effort involved in remembering and creating such passwords, we strongly recommend you use a password manager such as Dashlane and LastPass.
- Make sure your passwords are as unpredictable as possible. Don’t let the attacker guess the “theme” of your password, like in our “Londoner-*” example. In fact, make sure your password is as random as possible such as “27fj30dr8&)*LL”.
- Activate two factor authentication to prevent an attacker from logging into your account, even if he guesses your passwords.
Social engineering attempts that request your log in information (and password)
Like phishing emails, social engineering scams tries to trick you into willingly revealing your data. What’s more, these types of attacks are becoming more and more frequent.
For instance, the cybercriminal might pretend to be an employee for the main bank you use. He then calls you in order to “clarify some minor account issues”. During the phone call, he asks that you provide him the username and password for your bank account.
You’d be surprised how often people get hacked with this type of trick. It doesn’t even have to be a bank employee. They might pretend to be a utility company, asking you to give them username and password so they can recover your “lost account”.
Since most victims reuse the same password, the bad guys now have access to all their other accounts as well, even the more important ones, on sites such as eBay or Amazon.
Shoulder surfing, the low tech method to hack someone’s Facebook or Instagram password
Sometimes, the best way to hack someone’s password is to physically see him type it. There’s even a word for it: shoulder surfing.
Thanks to the smartphone era, this practice has become more widespread, with people looking over your shoulder to find out not just your Facebook or Instagram password, but other types of personal information, such as browsing sessions or messenger conversations.
The last thing you need is for a thief to see you talking about your next vacation. If he’s a good one, he can track down your home address and burglarize you.
To prevent shoulder surfing, Android users should keep the “Make Password Visible” field turned off (you can find this in Settings -> Security). iOS users don’t have to worry about this since it’s a default setting and you can’t change it.
However, some apps will briefly flash the last character you typed. So you will see something like this if you want to write in Londoner-*: “****o”.
A keen eyed observer can remember those taps, and reconstruct your password.
Another possible fix for this, is to use a privacy screen protector that makes the screen harder to see for others.
Technical attacks that have nothing to do with the user.
Some passwords are hacked due to technical issues related to the website or service, and without any fault on the user’s part. In such situations, the security minded user can only the website is properly secured.
Hash attacks
Computers don’t store your password in plaintext, meaning you will never find a file on a PC with a password written down letter by letter. Instead, the password will be hashed.
So instead of “Londoner-*” the password will look something like this: 5206b8b8a996cf5320cb12ca91c7b790fba9f030408efe83ebb83548dc3007bd.
That long string of random gibberish is called a hash. A malicious hacker can obtain the hash file through a malware attack on the device that stores the hash, such as a server or your PC.
To decrypt the hash, the cybercriminal will use several methods such as: lookup tables, rainbow tables and reverse lookup tables.
OAuth attacks
Most online login and authentication methods rely on a technology framework called OAuth 2.
What this technology does is to bypass the need to create a new user account and password for a website, and just login with a predetermined account.
You’re probably familiar with this technology if you’ve used the “Login with Facebook” or “Login with Google” buttons.
Basically, Facebook or Google will send an identification token to the website you want to log in, confirming your identity.
However, many websites and apps poorly implement OAuth, so instead of actually receiving the token from Google or Facebook, they just check if the provider of the information is Google or Facebook. In other words, they log you in the account without a confirmation that it’s actually you.
A malicious hacker with good technical knowledge can disguise the token provider, so he fools the login page into believing the user is genuine, and then gives him access.
Unfortunately, a huge amount of apps and websites don’t implement OAuth properly. By some estimates, such poorly secured apps account for nearly 2.4 billion downloads all over the world, putting a huge amount of users at risk.
To avoid any potential problems, we recommend you create separate usernames and password and even avoid using the “Login with Facebook/Google” button altogether.
Post a Comment
Post a Comment