We’ve so far discussed the login process, and how the passwords are stored. We’ve also touched a little bit about types of access and definition of unauthorized access. Now let’s move further. And look at some ways of gaining unauthorized access over a targeted user/system. Such access depends on particular circumstances. Maybe it’s a developer’s fault. We normally call it a loophole or a vulnerability. Or it can be stealing login credentials, especially password stealing. We’ll discuss more vulnerabilities in future writeups. But in today’s article, we’re gonna look at the other possibility.
No matter how secure a system or application is. Whether the developer has tried his best to patch every loophole. But if the user doesn’t know the proper use of the application/system. A hacker can trick him to intrude his privacy. There are various methods to do so. But here we’re going to discuss the most common and widely used ways to steal a user’s login details.
Password Stealing: Some common techniques
As the first part of this series is completely dedicated to the login process. That’s we’re sticking to the password and user credentials stealing only. After that, we’ll move on to using vulnerabilities and bypassing login process. So here are some common techniques to steal/ guess user login credentials, especially passwords.
The phishing attack is the most dangerous security threats by a majority of Infosec Experts. And no doubt it is one of the most successful cyber attacks which has only one solution: An aware mind! According to stats, 91% of successful data breaches’ initial attack is a phishing attack. But what exactly does phishing mean? Let’s define with an example:
What is Phishing?
Phishing is a technique where the attacker poses as a trustworthy entity to trick the user to get the required information. The hacker contacts the target through email, message, social media or any other source of communication. He portrays himself a legitimate and trustworthy entity. Offers the victim something or tricks him depending on the nature of the attack and required information. It is the most used password stealing attack. I guess some of the readers aren’t understanding properly, so let’s look at an example:
Have you ever tried phishing on a lakeside? Remember the process and compare it with the phishing attack. The hunter puts a worm on the end of his fishing rod, he attaches a bait or in other words a lure. A fish gets attracted to the lure and tries to get it. And that’s it. The hunter catches the fish.
Read About: How passwords are Stored?
Same goes for phishing attacks too. The hacker approaches the target with a lure. As soon as the target approaches the lure. He gets trapped and loses his information and stuff that must be private such as Passwords. There are several types and techniques for phishing. Check some valuable stuff about phishing here.
What if someone asks you to hack your target with no tools, only through your brain? Sounds like you’re going on a combat mission empty-handed. Social engineering is something where you hit your target with your mind. You don’t need any tools, no resources needed at all. Just a smart brain and good skills of communication and human psychology. In my opinion, it is the most lethal and most working technique ever.
What is Social Engineering?
In terms of information security, social engineering is an art of psychological manipulation of people. Successful social engineering tends a target to perform an action. The action is obviously what the attacker wants. It can be gaining some confidential information. Not only information, but the attacker can also make the user install some malicious stuff. It is a technique you’ve to use in almost every type of hacking attacks. And there is no technical prevention to this attack. If the attacker is smart. He can destroy his victim and gain every type of access just by the use of social engineering. Simply, if you know how to play with human psychology, you’re a successful security breaker.
The first method I mentioned was phishing. Even phishing is incomplete without social engineering. Not only phishing, but every minor or major cyber attack is also somewhere dependent on social engineering. You can increase the chances of success in a cyber attack with good social engineering skills.
Brute Force / Dictionary
It is a technique where the attacker prepares a huge list of passwords or any sort of sequence he wants to acquire. It’s technically guessing the password. Well, this technique is now getting older and there are many solutions available to tackle this. There are two types of brute force attacks. One is a general dictionary attack where the hacker tries common dictionary words, nouns, etc. The other way is a little specific where the hacker makes the list according to users’ nature. The list is called a word list. Good use of social engineering can increase the success chances of brute force also.
The term is self-explanatory. Keylogging is a technique where the attacker uses some kinda application, device or piece of code. This piece of code, device or app keeps a track of victim’s keystrokes and entries. This technique is also getting older now. But still, it’s used in a lethal way if the attacker knows the right use of keyloggers. The only drawback in this method is that it is difficult to pass a keylogger to your victim. But once successfully done, it will log every single word the user types. Which is obviously lethal for someone’s privacy.
The Solution: How to be safe?
That’s it for this writeup. We’ll explain more ways in future articles. But let’s get to the most important part of today’s article. How to be safe? How to prevent an attacker from stealing passwords. The most important thing is awareness. From this article, you must have learned a lot about these techniques. If you still have any confusion, ask it in the comment. And don’t miss our article that contains all the ways to prevent these attacks. Check it here.