Main Methods of Password Attacks
Cryptographic methods are a traditional and effective way to protect information from interception, modification, or substitution by an external intruder; if the data in the communication channel has been subjected to cryptographic transformations beforehand, the attacker will have to look for vulnerabilities in the existing information protection system, which can be a challenging task.
However, it is obvious that there is no need to break through a wall when one can use a door: gaining access to the information system in the name of a user authorized to perform operations with the data contained within it. The most vulnerable point of any fortress is the gate, and for an automated information system, these gates are the access points to it. They are protected by authentication protocols; and the most common form of authentication today is password protection. Therefore, to enter the door, one needs to obtain the key to it: the user password.
Main Methods of Password Attacks
Brute Force Attack
The most conceptually simple "head-on" attack, which boils down to systematically trying all possible combinations of allowable characters. Modern information systems are often protected against brute force attacks by limiting the number of authentication attempts over a certain period of time (up to complete account lockout). Additionally, the effectiveness of brute force attacks decreases geometrically as the length of the password increases.
Dictionary Attack
A variant of the brute force attack; the attempt is not made sequentially but rather through combinations with the highest probability of use, as passwords are often chosen based on some significant combination (phone number, date of birth, etc.).
A dictionary is compiled based on data known about the account owner, and then an automatic password guessing is performed using passwords generated from that dictionary. A sure way to assist an attacker is to use publicly available and/or easily associated data as a password; a strong password should carry zero semantic load for an external observer and should not allow for any correlation with the owner.
Collecting Passwords from Public Places
In many organizations, passwords are centrally created and distributed by the system administrator, and users often keep them handy in written form. Passwords should not be stored in public places, nor should they be recorded in any way during video conferencing (it is also necessary to consider the presence of reflective surfaces around the user, including glasses).