Some of the ways a hacker can obtain an account password is by using brute-force, rainbow tables or dictionary attacks (Jose et al, 2016). With brute force the hacker keeps trying different combinations of words and phrases until some password and username combination works. To enhance this type of attack a hacker can use a list of words obtained from a dictionary, hence the name dictionary attack. This list would speed up the brute force guessing of the password by including commonly used passwords, passwords obtained from previous hacks and other words and word combinations.

If a weak password is used the likelihood of a hacker succeeding is much higher. If the same password is reused on multiple sites the hacker is very likely to be able to log into multiple accounts. One way to prevent this from happening is to ensure you use long, strong and unique passwords on each site. A password manager like LastPass can help generate long unique passwords for every site leaving you the need to remember only one master password.

Sometimes hackers are able to obtain passwords from a system but the list of passwords have been hashed, meaning the hacker is not able to see what the password is. A rainbow table attack is useful in this case because it is similar to a brute force attack except that instead of using a dictionary with words to try and guess the password, it uses a precomputed list of hashes to compare with the list of hashed passwords. Once two hashed match the password becomes known. One way to prevent this type of attack is to use a salt in the authentication mechanism so that extra characters are added to the password making it infeasible to compute the hash.

Jose, J., Tomy, T. T., Karunakaran, V., Varkey, A., & Nisha, C. A. (2016, March). Securing passwords from dictionary attack with character-tree. In 2016 International Conference on Wireless Communications, Signal Processing and Networking (WiSPNET) (pp. 2301-2307). IEEE.

Garrison, C. P. (2008). An evaluation of passwords. The CPA Journal, 78(5), 70.

There are several ways a hacker might be able to obtain a password, one way is by Password spraying. Password spraying is a technique where the hacker will use a large list of commonly used passwords against a handful of user accounts. An example of this technique, a hacker will use one password, (123456789) against different accounts to limit the number of login attempts. This is done to prevent account lockout. To prevent Password spraying it is best to practice better password management. This can be done by creating longer more complex passwords that are different for each account or website. Make sure the proper account lockout policies are in place after failed login attempts to prevent credentials from being discovered. If this is not an option, CAPTCHA (Completely Automated Public Turing test to tell Computers and Humans Apart) should be used. Implementing MFA (Multi-Factor Authentication) when the option is available. MFA adds an extra layer of security by requiring users to identify themselves by other means besides a username and password.

pur-new-sol

Related Questions