Password has found a vast dimension of usage in ensuring security of web applications. Usually, a user is demanded to provide his username and password to identify and authenticate his identity. HTTP provides several authentication protocols such as the Basic, Digest, Form-based, NTLM, Negotiate, Client-side certificate and Microsoft Password.
Contents
A password attack may be a function of the level of complexity and how securely stored the password is, and not necessarily an indication of a security loophole in the server software or the OS. It largely depends on the ease with which the hacker bypasses the network security. Password vulnerability has been identified as one of the top cybersecurity risks for 2015.
Passwords in themselves are not adequate to provide security for users’ information. Hackers know that if they are able to crack your password, then they can gain access to your personal information. So they use several techniques to take advantage of your password vulnerabilities.
Types of Password Vulnerabilities
There are two general types of password vulnerabilities.
Organizational vulnerabilities
Organizational vulnerabilities entail the absence of password policies in an organization, or a lack of security awareness of users. It is established that strong passwords are supposed to be easy to remember but difficult to crack. Sadly, most users stop at “easy to remember”, choosing passwords that are easy to guess. Moreover, such passwords are seldom changed or not changed at all, and may be used for more than one security points. So if hackers are able to guess one password rightly, they would most likely gain access to other systems.
Technical vulnerabilities
A technical vulnerability involves a weak encryption method or a lapse in the password storage system. There are password-cracking utilities which hackers use to crack security by obscurity. Technical vulnerabilities also manifest in easily accessible databases used for storing passwords, or in unencrypted databases which hold sensitive information, or in applications that display onscreen user passwords while typing the passwords.
The Hacker’s Methods
Hackers generally try out possible passwords that will match the password of the legal user, in order to gain access to the user’s privileges. This method of password guessing mostly targets organizational vulnerabilities and is one of the most efficient methods of hacking passwords. This can be done manually or through automated systems.
The next level of attack employed by hackers if the guessing is not successful is to try out combination of passwords with the use of tools such as WebCracker and Brutus. These tools are readily available on the web and are used to carry out dictionary attacks and brute force attacks. Dictionary attacks involve the use of pre-computed lists of usernames and passwords, to authenticate web applications. Brute force attacks imply the decrypting of cryptographic schemes. All possible keys are used to make a brute force attack.
So How Serious Can a Password Hack Be?
If a hacker gains access into a system as a normal user, he will only be restricted to limited information. However, if he accesses the system as an administrator, then he has almost absolute and unlimited access to the application, including its contents. And so can manipulate any kind of nefarious activities using any sensitive information he accesses.
Recently, Formspring, a question-and-answer disclosed that 420,000 of its users’ password had been hacked. Consequently, the company resorted to resetting passwords for its 28 million users. In a related development, a “wake-up call” was sent to Yahoo Voices on its attention to users’ security. A hacking group with the name D33D Company leaked about 450,000 email addresses and passwords linked to Yahoo Voices.
Get a Hack-Free Password
Be protected from password attacks. Use strong, difficult-to-guess passwords for your authentications and avoid using the same passwords for multiple applications. Also, you can keep safe from password attacks by watching out for fast-moving SQL injection attacks and being wary of third party security.