Читать книгу Cybersecurity For Dummies - Joseph Steinberg - Страница 76

Criminals can steal passwords many different ways. Two common methods include

 Thefts of password databases: If a criminal steals a password database from an online store, anyone whose password appears in the database is at risk of having their password compromised. (If the store properly encrypted its passwords, it may take time for the criminal to perform what is known as a hash attack, but nonetheless, passwords — especially those that are likely to be tested early on — may still be at risk. To date, stealing passwords is the most common way that passwords are undermined.

 Social engineering attacks: Social engineering attacks are attacks in which a criminal tricks people into doing something they would not have done had they realized that the person making the request was tricking them in some way. One example of stealing a password via social engineering is when a criminal pretends to be a member of the target’s tech support department and tells the target that the target must reset a particular password to a particular value to have the associated account tested as is needed after the recovery from some breach, and the target obeys. (For more information, see the earlier section on phishing.)

 Credential attacks: Credential attacks are attacks that seek to gain entry into a system by entering, without authorization, a valid username and password combination (or other authentication information as needed). These attacks fall into four primary categories:Brute force: Criminals use automated tools that try all possible passwords until they hit the correct one.Dictionary attacks: Criminals use automated tools to feed every word in the dictionary to a site until they hit the correct one.Calculated attacks: Criminals leverage information about a target to guess the target’s password. Criminals may, for example, try someone’s mother’s maiden name because they can easily garner it for many people by looking at the most common last names of their Facebook friends or from posts on social media. (A Facebook post of “Happy Mother’s Day to my wonderful mother!” that includes a user tag to a woman with a different last name than the user is a good giveaway.)Blended attacks: Some attacks leverage a mix of the preceding techniques — for example, utilizing a list of common last names, or performing a brute force attack technology that dramatically improves its efficiency by leveraging knowledge about how users often form passwords.

 Malware: If crooks manage to get malware onto someone’s device, it may capture passwords. (For more details, see the section on malware, earlier in this chapter.)

 Network sniffing: If users transmit their password to a site without proper encryption while using a public Wi-Fi network, a criminal using the same network may be able to see that password in transit — as can potentially other criminals connected to networks along the path from the user to the site in question.

 Credential stuffing: In credential stuffing, someone attempts to log in to one site using usernames and passwords combinations stolen from another site.