4. The Need for Cybersecurity: Cyber Attacks 77 guessing is most effective when a hacker performs recon and uncovers personal information about the target that might have been incorporated into their password, such as family names, pet names, school mascots, important dates, etc. Figure 4.2 John the Ripper showing the cracked passwords for bob (batman) and alice (catwoman). Password spraying is similar to password guessing but instead of targeting specific users, it focuses on a small number of password guesses. The goal of password spraying is to login to any user’s account. If a hacker is able to obtain a list of valid usernames, he can try a few password guesses for every user. This will not trip the “too many failed attempts” trigger for any one user, and it gives the hacker many opportunities to guess a valid set of login credentials. This attack relies on the probability that at least one user chose an easily guessable password. For example, at a university where the mascot is the Tigers, a password spraying attack might try to login as every student using a small set of passwords based on the word Tiger, such as Tigers, Tigers1!, t1g3r5, etc. It is likely that at least one student has chosen such a password. Credential stuffing is yet another attack on passwords. It is the main reason why security experts warn people not to reuse the same password on different websites. This attack works by finding a valid username and password combination for one site and trying the same pair of credentials on another site. The valid username and password may have been discovered through a password cracking attack on an organization. A user may not care that his credentials were stolen for some throwaway account he created and used one time, but if he uses those same credentials for his online bank account, he has a problem! In credential stuffing attacks hackers use stolen and known valid credentials to try to
RkJQdWJsaXNoZXIy MTM4ODY=