A lot of people are aware of top-notch online security habits. Somehow, many fail to use them properly to the complete extent. This leaves them susceptible to dictionary attacks. Despite the fact that they know that they need to protect their online profiles and accounts, the users simply fail to follow simple guidelines for making strong passwords.
A study by Google revealed that more than 60% of people reuse their passwords on multiple devices and accounts. Almost 59% use personal details in their passwords which are easy to guess or easy to discover (as they use names of loved ones, pet names, birthdays, and the like).
Additionally, a lot of people have been using obviously easy passwords that have been easy to crack. Passwords like 123456, qwerty, abcdefg, pqrstuvw and the like are thus crackable. Many data breach leaks reveal that easy passwords are what users are using. That’s why they fell in the net.
The reason is simple: Nobody takes password leaks seriously and password safety is taken for granted.
Defining dictionary attacks and their modus operandi
A dictionary attack is a kind of brute force attack where hackers usually try guessing a user’s password to their online accounts. They start using a list of commonly used phrases, words, and number combinations.
When a dictionary attack successfully cracks a password, hackers can then use it to obtain access to bank accounts, social media profiles, and password-protected files. This can become a real problem for those facing the attack.
Understanding the modus operandi of this attack
Cybersecurity professionals from a company providing DDoS protected dedicated servers in London explain that this hacking method uses a systemic approach of sorts. They use this approach for cracking passwords. Fundamentally, the process involves three key steps for conducting such attacks. Understanding these steps is key to learning how can such an attack be prevented.
They are as follows:
- In most instances, attackers make an already created list of potential passwords. It is a brute-force dictionary that features combinations of popular numbers and words.
- Automated software is then used. It utilizes this brute-force dictionary to attempt hacking into users’ accounts.
- Once the attack has attacked the vulnerable account successfully, the hacker uses the sensitive data obtained for their own personal means. That might be used for conducting fraudulent activities, taking the wrong kind of action, or accessing accounts for financial gain.
The attacker will compile a list of potential passwords using common pet names, recognizable figures, popular celebrities, names of athletes, major sports teams, etc.
The thinking behind this is that people use these kinds of words to make passwords have meaning to them. They are also easy to remember. Variations of those above are included, but will also have different combinations of words or the addition of special characters. When this list is run through automated tools, the dictionary attacks are easy to conduct and successful.Read Also : TanzoHub.
What happens when a password list and an automated tool are used in tandem?
Using both in tandem makes it faster to crack passwords in multiple attempts as well as hack into an online account. If such things were to be done manually then the attack would take quite some time and give either account owners/system admins time to notice the attack, stop it, and implement a robust defense mechanism.
Their modus operandi indicates that these attacks do not have a single target. They are conducted in the hopes that one of the many password combinations in the list may be correct. This means that out of 1000 accounts, almost 10 are at risk.
However, if the attacker is targeting an individual, place, or company in particular, then they will be making a password list more concentrated and localized in nature.
For instance, if the attackers are carrying out this attack in Colombia, they’ll be using common Spanish terms and words that are local to Colombia instead of Mexico or Honduras. If they are targeting a company like Hyundai of Brazil, then they’ll be using terms relevant to the automotive industry and market of Brazil.
Conclusion
Dictionary attacks should not be taken for granted. Some cybersecurity professionals take them as a walk in the park when they’re in fact capable of ruining the day.
