Painful Common Password Attacks Vectors

With the increasing number of credential breaches over the last few years, we have several compromised logins. In itself, a compromised login should not present too much of a problem. Unfortunately, most of us have gotten lazy and reused passwords in several places.

If a criminal now purchases multiple hacked credentials and tries them for a different service, he might get lucky and gain a valid login for a website. As the attacker typically automates it, they stuff as many credentials as possible in a service and thus the name. It is one of the top two attacks today.

Who hasn’t gotten the spam mail asking us to input a password to reactivate an account or verify some security setting? Phishing E-Mails are a common form of spam. Many of us simply ignore them. Yet, with the advancements in ChatGPT and other Language models, the sophistication of the attacks has increased dramatically.

As the spammer relies on us reacting to the E-Mails, it is one of the simplest forms to counteract. Ask yourself, do I feel pressured by this E-Mail? Is there anything in the E-Mail that makes me want to drop everything else? Is my job, happiness, or well-being on the line if I don’t react now?

Most web services have a distinctive look and feel, making us trust them implicitly. However, bad actors can abuse this trust by creating a website similar to the well-known one. Forwarding us to the legitimate offering can further hide the action, giving them more time to act.

While relatively common, the attack doesn’t stand on its own. It either gets combined with a phishing attempt or by inserting the false website into a search engine’s sponsored results.

Social engineering often targets the password reset features instead of the passwords themself. Remember when you created the bank login? They asked you for your mother’s maiden name, childhood best friend, and your first car to be able to confirm it is you when requesting a password reset.

I can find all these on Facebook or Instagram, and so can criminals. Consequently, they can reset your password to something only they know. The best defense is to be mindful of what you and others share online. Also, never ignore the E-Mail that your password has been changed unless you are sure you did it yourself.

A movie favorite, key loggers are less common than feared. After all, they require bad actors to install a piece of software on your computer in a way that doesn’t trigger the antivirus, collect the data, and then determine URLs, Passwords, and user names from the rest of the data you type.

Consequently, the best defense is to keep your system up to date and not install random software, especially if it comes by E-Mail.

A favorite from the world of spy movies and tech thrillers, dumpster diving, relies on someone going through the paper trash and finding discarded passwords, letters with your social security number, or bank statements. It is one of the most expensive ways to hack an account.

While the least likely of all six threats, it is good practice to put all critical information through a paper shredder. This exponentially increases the costs of the attack.