Types of Password Attacks and Defenses

00:01

Hey, everyone, welcome back to the course in this video, we're to talk about some of the different types of password attacks as well as some of the ways we can defend against password attacks.

00:10

So let's talk about non Elektronik attacks. These air basically where an attacker doesn't need any type of technical knowledge at all. So, for example, things like shoulder surfing just looking over your shoulder as you type in your password on your laptop, for example, social engineering attacks where I just ask you via social media or I find out

00:28

via Social Media, what's your password might be

00:31

based off clues that you give me as well as things like Dumpster diving. Um,

00:36

yes, this does still happen, but not as prevalent as it once was, simply because it's so much easier for me to just manipulate you psychologically over on, like, linked in or Facebook to get your password and log in credentials.

00:50

So active online attacks. This is where the attacker is gonna perform password cracking by directly communicating with the victim machine. So it's gonna be your tax like brute force or dictionary attacks, um, hash injection, as well as phishing attacks things like Trojan spyware or key logger software. A zealous password Guessing right. Um

01:08

but primarily you're gonna see this with, like, your key loggers as well as brute force attacks.

01:15

We have passive online attacks s So this is where the attacker performs password cracking without communicating with the other party s O, for example, things like wire sniffing or man in the middle attacks, even replay attacks where they're grabbing your credentials near authentication. Eso basically your token for the session

01:33

and they just replay it to the server and interject themselves

01:37

in between the path. So the server thinks that it's still communicating with the authenticated user and is actually communicating with you instead.

01:45

Offline attacks. So this is where the attacker might copy your password file. So ah, lot of labs out there where you usually John the Ripper and Callie Lennox. They'll have you, you know, having a file on the desktop or something where you can then cracked the passwords in there. And that's what we're talking about here, right where it's offline. The Attackers made a copy of the

02:04

the Targets password file

02:05

and then try toe cracked the password basically on their own system eso using things like a rainbow table right, which is basically just a table of pre computed hashes. So, ah, lot of the most common passwords. They'll be in these rainbow tables. And so if you're using, like password 1234 for example, they'll already have the hash for that and those they'll

02:23

just use a tool that can enable or John the Ripper,

02:27

and they'll run the hash they've gotten from your device through the rainbow table, and they'll see if it's, you know, one of the common passwords that they've already cracked.

02:38

So how do we defend against password attacks?

02:43

So one way is to not reuse passwords, right? A lot of small business owners I speak with reuse the same password

02:49

all the way across the board across your business stuff as well as your personal stuff, including banking information. So don't do that right. Just don't reuse passwords. And in fact, if your organization make sure that you don't allow your employees to share or use passwords, reuse passwords, a lot of organizations will set it where you can't use the same password

03:08

that you've done within the past, like 90 or 120 days,

03:12

Sometimes the past year

03:14

use encryption. So as you're transmitting, uh, your credentials for that way of somebody sniffing your connection, they're not gonna be seeing it right, Because you're using encryption. You salting. So just inserting random characters, etcetera into the password hash and then rehash ing it,

03:30

changing the default passwords. My goodness, that's still an issue, right?

03:34

You still see organizations leaving admin, admin or admin? 1234 A za log in credentials. You can go to showdown, as we talked about earlier in the course, and see all sorts of vulnerability devices that are still using the default credentials,

03:46

making sure employees have strong and complex passwords, ideally, also having single sign on so they don't have to remember all these different passwords. You could just have him remember one strong and complex password

03:59

and then enabling the lockout features right so that way as a as an attacker attempts more than three times, for example, it will lock them out and require them to call the help desk to get the password reset.

04:09

So just a quick quiz question here. This type of password attack doesn't require any technical skills. Which one is that? Is that active, Offline or not? Electronic?

04:17

All right, so if you guess not electronic again. That's the one where we could do things like dumpster diving or social engineering attacks.