CompTIA Security+ Exam Notes

CompTIA Security+ Exam Notes
Let Us Help You Pass
Showing posts sorted by relevance for query password attacks online. Sort by date Show all posts
Showing posts sorted by relevance for query password attacks online. Sort by date Show all posts

Saturday, April 13, 2024

Brute Force, Dictionary, Spraying Attacks

 Password Discovery Methods


All of these attacks covered in the section are online attacks. 

BRUTE-FORCE:
  • Uses an exhaustive list trying to guess the passwords.
  • Password guessing programs used for brute force attacks can check anywhere from 10,000 to 1 billion passwords per second. 
  • Brute force attacks are run against a single username with multiple password guesses.
EXAMPLE:
cbgto1gpy
cbgto2gpy
cbgto3gpy
cbgto4gpy
cbgto5gpy
cbgto6gpy

In this example, the sixth character changes when the program has completed all possible combinations with the sixth character and has not discovered the password. Then, the fifth character changes to the letter "p" and continues the process. 

DICTIONARY:
  • A dictionary attack will go through common words out of the dictionary and does not use complexity.
  • Dictionary attacks are run against a single username with multiple password guesses. This is also an automated program.

SPRAYING ATTACK:
  • A spraying attack is one password, normally simple or commonly used against multiple accounts (2 or more usernames). 
  • The attacker waits a period such as 30 minutes or longer. 
  • This is done to bypass account lockout. 
  • Most account lockouts reset the failed login counter back to "0" at that point.
There are two primary ways to prevent brute-force or dictionary attacks:
  • Account lockout after 3 to 5 failed login attempts
  • The other is to use MFA (Multi-Factor Authentication)

Tuesday, August 12, 2025

Credential Stuffing Attacks: Understanding the Threat

 Credential Stuffing

Credential stuffing is a widespread and increasingly prevalent type of cyberattack that involves using stolen or leaked username and password combinations (credentials) from one website or service to try and gain unauthorized access to accounts on other, unrelated websites or services. The underlying principle that makes this attack so effective is the common tendency of people to reuse the same login credentials across multiple online accounts. 

How does it work?

Credential stuffing attacks typically involve four steps: 
Credential Acquisition: Attackers obtain large lists of stolen usernames and passwords from data breaches, phishing scams, or the dark web.

Automated Login Attempts: Bots are used to rapidly attempt logins on numerous websites and applications using the compromised credentials.

Exploiting Password Reuse: Success occurs when the stolen credentials match those used on other sites due to password reuse.

Further Exploitation: Once access is gained, attackers can steal information, make fraudulent purchases, spread malware, or sell the compromised accounts. 

Why is it so effective?

Credential stuffing is effective due to widespread password reuse, the availability of stolen credentials, the use of automation and bots, and the difficulty in detecting these attacks. 

Real-world examples
Several organizations have been affected by credential stuffing, including Nintendo, Spotify, Deliveroo, and Ticketfly. These incidents resulted in various consequences, including financial losses, compromised accounts, and reputational damage. 

Impact and consequences
The impact of credential stuffing can be significant for individuals and organizations, leading to account takeover, fraud, data breaches, reputational damage, financial losses, and operational disruption. 

Prevention strategies

To prevent credential stuffing:
  • Individuals: Should use unique and strong passwords, enable multi-factor authentication (MFA), use password managers, monitor account activity, and stay informed about data breaches.
  • Organizations: Should implement MFA and strong password policies, educate users, utilize bot detection, monitor for unusual activity, and consider passwordless authentication. 

Saturday, July 24, 2021

Passwordless Authentication: The Future of Secure and Seamless Logins

 Passwordless Authentication

Passwordless authentication replaces traditional passwords with alternative methods for verifying a user's identity, offering enhanced security and a more user-friendly experience. Instead of relying on something the user knows (a password), it utilizes factors like biometrics, possession of a device, or unique digital keys. This approach minimizes the risk of password-related vulnerabilities, such as phishing and theft, while also simplifying the login process.
 
How Passwordless Authentication Works:
Passwordless authentication leverages different methods to verify a user's identity without relying on passwords. Here's a breakdown of common approaches:
1. Biometrics:
  • This method uses unique biological traits like fingerprints, facial recognition, or iris scans to verify identity.
  • Users unlock their devices or access applications by simply scanning their fingerprint or using facial recognition, eliminating the need for passwords.
  • Examples include fingerprint sensors on smartphones or facial recognition features in laptops. 
2. Possession Factors:
  • This approach relies on something the user possesses, like a device or a security key. 
  • One-Time Passwords (OTPs): Users receive a unique, time-sensitive code via SMS or an authentication app, which they enter to log in. 
  • Magic Links: Users receive a link via email or other messaging app. Clicking the link grants access to the user, eliminating the need for a password. 
  • Hardware Security Keys: Users plug in a physical device (like a USB key) to authenticate. 
3. FIDO2/WebAuthn:
  • This standard utilizes public-key cryptography to generate a unique key pair for each website or application.
  • The private key remains securely stored on the user's device (e.g., smartphone, computer), while the public key is registered with the service.
  • When logging in, the service sends a challenge, which the user's device signs using the private key. The service then verifies the signature using the public key. 
Benefits of Passwordless Authentication:

Enhanced Security: Reduces the risk of phishing attacks, password theft, and other vulnerabilities associated with passwords.

Improved User Experience: Eliminates the hassle of remembering and typing complex passwords, making login faster and easier.

Reduced Support Costs: Password-related helpdesk calls decrease as users don't need to reset passwords as frequently.

Increased User Satisfaction: Removing password frustrations leads to a more positive user experience. 

Examples:
Windows Hello: Microsoft's solution for passwordless authentication using facial recognition, fingerprint scanning, or a PIN. 
Google Chrome's Passwordless Login: Chrome allows users to log in to websites using security keys or QR codes linked to their devices. 
Authenticator Apps: Apps like Google Authenticator or Microsoft Authenticator generate time-based one-time passwords (TOTPs) for various services. 

Passwordless authentication represents a significant shift in how we approach digital security, offering a more secure and user-friendly way to access online services.