Passwords are predictable
Surprisingly many people choose something meaningful to them as their password, such as the names of their children or pets, birthdays, anniversaries, or favorite ice hockey teams, etc. For an attacker who can guess passwords a surprisingly large number of times per second and who sees a lot of information about the target on social media that might have been used in the password, guessing is often not very difficult.
Password policies are ineffective
One way to fight predictability is through password policies. "Your password must contain one uppercase letter, one lowercase letter, one number, and one special character". Policies are ineffective because people usually act in a highly predictable manner in such situations. Uppercase letter. Then lowercase letters. Then a number or numbers. Then that special character.
This is how the password "kissa" becomes "Kissa123!". Or "Kissa1985?". And the attackers know it.
Captchas are ineffective
One way to slow down guessing is captchas. The user is asked to click on all the images that show a bus or to decipher unclear letters. Even this approach is inefficient. First of all, from China, you can order a surprisingly cheap service where you input the task via an API and someone solves it for you. Secondly, artificial intelligence is nowadays so advanced that it is difficult to create tasks that humans can solve but computers cannot.
IP banning is ineffective
What if, after too many wrong guesses, the attacker's IP address is blocked? It doesn't help. Changing an IP address is too easy, the Internet is full of free and cheap proxy servers and tools like the Tor network, where you can get a new IP address in an instant. Attackers usually have botnets at their disposal, which provide multiple good IP addresses to use immediately. Besides, by blocking IP addresses, you may accidentally block legitimate users who happen to use the same VPN as the attacker.
An attacker can guess one password at a time
...and try it with a million different usernames. This so-called "Password spraying" attack cannot really be prevented by locking accounts, because only one guess is applied to the same account every now and then.
Account lockout is a service vulnerability to denial-of-service attacks
If an account is locked after five failed login attempts, what prevents an attacker from conducting a denial-of-service attack that attempts to lock as many accounts as possible or from harassing a single account?
If not locked, nothing prevents an attacker from guessing the user's password indefinitely, which creates another vulnerability.
Passwords can't really win.
Passwords are being reused
Everyone who doesn't have a password management program, and unfortunately there are still a huge number of them today, reuses passwords. It's just a fact, user accounts accumulate hundreds over the years, and it's not possible for a human (at least most of us) to remember hundreds of unique, secure passwords.
Passwords are leaked
Almost all ever leaked data can be found somewhere on the Internet, and it is easy to find collections that contain a vast amount of username and password pairs. When a person's password leaks from one service, an attacker takes the password and email address and tries them on every service found on the Internet.
Passwords are stored in the camera
If you mistakenly enter your password for a service near a surveillance camera, or unknowingly someone is filming your keyboard with a mobile device behind the window, or if someone has installed a keylogging tool on your keyboard, your password will leak to the attacker.
Passwords are forgotten
And then they need to be reset. The way a password is reset always carries a risk. If someone gains access to a person's emails, they can practically reset the password for every service. And if the password can be reset through customer service, for example, it also creates a so-called social engineering attack vector targeting individuals.
Passwords are easy to phish
When you clicked on the link that came to your email, which then asks you to log in, did the message really come from the correct address, and is the website definitely the right page? It is not realistic to expect that people would not fall for this phishing attack. However, passwords cannot be protected from this type of attack.
Passwords are essential
I have passwords. You have them too. So far, no one in this world can avoid them. However, you can limit your passwords to a minimum and take care of your own security with a couple of tips!
- Prefer "Sign in with Google", etc. options whenever they are available.
- Use a password management program such as BitWarden or 1Password.
- Use multi-factor authentication in all services that support it. Make sure you always have SMS code or an authentication app as an option that allows you to backup and restore the codes with your phone number, such as Authy. You don't want to lock yourself out of your entire digital identity if you lose your device. You can always regain your phone number, so the recovery should be based on both your phone number and a password that you remember.
- To protect yourself against phishing attacks, purchase a YubiKey and use it (U2F key) as the main MFA factor in all services that support key usage. However, always remember to add an MFA factor that you can recover with a phone number and/or password.
...and abandon passwords. For example, it is not possible to log in to Hakatemia with a password.
From the perspective of cybersecurity testing and ethical hacking, we delve into various attacks targeting passwords in the modules of this course.
Passwords must die.
Ready to become an ethical hacker?
Start today.
As a member of Hakatemia you get unlimited access to Hakatemia modules, exercises and tools, and you get access to the Hakatemia Discord channel where you can ask for help from both instructors and other Hakatemia members.