Password Attack methods and related protection measures

Password is the first line of defense for the network system. The current network system uses passwords to verify user identities and implement access control. A password attack is a process in which a hacker uses a password as the target to crack the password of a valid user, or avoids the password verification process. Then, the hacker impersonates a valid user to infiltrate the target network system and gain control of the target system.

If a hacker successfully enters the target network system, the hacker can steal, damage, and tamper with the information of the victim as he/she wishes until he/she has full control over the victim. Therefore, password attacks are one of the most basic, important, and effective methods for hackers to perform network attacks.

Primary password attack methods

1. social Engineering, a non-technical means of interpersonal communication, is used to obtain passwords by deception and arbitrage. The countermeasure to avoid such attacks is to strengthen user awareness.

2. Attack prediction. First, use the password guessing program to launch an attack. The password guess Program often guesses user passwords based on user-defined passwords, such as abbreviations, birthdays, pet names, and department names. With a detailed understanding of the user's social background, hackers can list hundreds of possible passwords and complete the guessing attack in a short time.

3. dictionary attacks. If the attack fails, the attacker continues to expand the attack scope and tries all the English words. The program extracts one word after another in order and tries again and again until the attack succeeds. According to some media reports, for a collection of 80 thousand English words, intruders can finish the test in less than a minute and a half. Therefore, if the user's password is not too long or words or phrases, it will soon be decrypted.

4. brute force attacks. If the dictionary attack still fails, the attacker will initiate a brute-force attack. Generally, an attack is attempted from a password with a length of 1. Because people tend to prefer simple and easy-to-remember passwords, the success rate of brute force attacks is very high. If you check a password every 1‰ seconds, the 86% password can be decrypted within one week.

5. Hybrid attacks, combined with dictionary attacks and exhaustive attacks, are first dictionary attacks and then violent attacks.

The countermeasure to avoid the above four types of attacks is to strengthen the password policy.

6. Directly crack the system password file. All attacks cannot work. Intruders will find security vulnerabilities and weak links on the target host, steal the files that store the system password, and then decrypt the encrypted password, in order to impersonate a legitimate user to access this host.

7. sniffer: uses the sniffer to sniff the plaintext transmission password string in the LAN. To prevent such attacks, network transmission is encrypted.

8. Key records: Install a key record backdoor in the target system, and record the password string entered by the operator. For example, many spyware and Trojans may steal your dictation.

9. other attacks, such as man-in-the-middle attacks, replay attacks, birthday attacks, and time attacks.

The countermeasure to avoid the above attacks is to strengthen user security awareness, adopt a secure password system, pay attention to system security, and avoid Virus Infection with spyware, Trojans, and other malicious programs.

Protection against password attacks

To effectively prevent password attacks, we must select a good password and ensure the security of the password.

1. A good password is the most basic and effective way to prevent password attacks. It is best to use a combination of letters, numbers, punctuation marks, special characters, and uppercase and lowercase letters. It is best to have more than 8 characters in length. It is better to remember it easily without writing down the password, do not use your own birthday, mobile phone number, or other information that may be easily known by others as passwords.

2. Ensure password security. Do not keep passwords on paper or stored in computer files; Do not tell others your passwords; do not use the same passwords in different systems; ensure that no one is watching when entering the passwords; it is best to check whether the system is safe in public Internet places such as Internet cafes; change the password regularly at least once every six months, which minimizes the risk of password attacks, never be too confident in your own passwords.