Monkeys like humans kick back and have a beverage –much like average hackers and attackers just looking for a quick buck and usually quick scheme. Higher educated monkeys again much like their human counterparts search for challenges and look for easy access (such as passwords) and drill their way into an unsuspecting human computers and wreak havoc.
Passwords are the most typical means of authentication on your home network or work networks. An everyday employee may use multiple passwords every day in order to use all applications and systems provided by the Calgary employer. Calgary Businesses spend significant amounts of resources to deploy authentication mechanisms and policies, which are then compromised due to password leaks or misuse.
Attackers, however, have automated software that can calculate middle-of-the-road passwords with great ease. The misconception that longer and harder passwords can withstand the most state-of-the-art recovery techniques used by the majority hackers and attackers is untrue. Hackers and Attackers, like monkeys, look for the easiest way in and passwords and pass phrases that are re-used in different forms can be predicted and easily broke into.
There are two major categories of password attacks: online and offline.
Online password attacks are where a live host is brute-force and pools of possible passwords are used as input against a login form or session until successful login is achieved. This type of attack is usually easier to block by adding protection mechanisms such as Captcha images and a maximum limit on unsuccessful authentication attempts.
Offline password attacks, on the other hand, assume that the attacker already owns a database dump of passwords in hashed format and wishes to recover most them. The attacker can acquire hashed passwords from previous attacks, using SQL injections to get hashed passwords or database contents as commonly happens at the present time. The attackers aim is not so much to crack specific passwords, but rather to crack a significant proportion of the total database with the prospect that at least a significant number of them will allow the hackers access to items of value.
Types of attack techniques: An attacker/s will usually choose a password cracking technique that is known to be most efficient with the type of hashed password or passwords they are trying to recover. Effectiveness is usually measured by the time needed to complete an attack, the amount of resources the attack requires, and the success rate of the specific attack within the time space and with the resources used.
The password cracking toolbox: Brute-force attacks perform an exhaustive search using all possible series combinations for a specific password length. Brute-force attacks are known to be considered to be inefficient because it takes an unreasonable amount of time to perform a complete (lowercase, uppercase, numbers and special characters) attack for password lengths above about 10 characters.
These days, new dictionaries are created and made public on a regular basis. This makes dictionary attacks more attractive and effective for an attacker.
The proof-of-concept attacks: Search engine exploitation (Instance: Google hash search). Handfuls of passwords can be recovered this way because of the innumerable lists of recovered passwords that have been already made public online. Combined dictionary attacks where several dictionaries are combined with each other and with themselves to create new dictionaries with larger and more complicated words and phrases.
Hybrid dictionary attacks are achieved by concatenating dictionaries with a brute-forced string or series attached to every dictionary entry. Rule-based dictionary attacks use a set of predefined rules to mutate an existing dictionary and expand it.
Markov chains are mathematical tools that have been initiated to password fissuring very recently. They work only with user-selected passwords and they create a collection of so-called words made of the most used syllables in a large sample of real-life passwords. These have recently been put to the test with great success against user passwords that contain “user-created” words or “mnemonics”.
Which Monkey will Evade The Password Madness?
Passwords do not provide adequate security for most systems. Multiple people and academia try to educate users to craft human mnemonic passwords and ways to improve the complexity of their passwords by simple mutation. Other suggestions include making passwords larger, adding numbers and special characters. We saw that these actions do not necessarily provide any additional security if they are part of a “common” practice.
Password or phrase is at least eight characters long
Does not contain: your user name, real names in the family, children’s names, dog or cat names
Does not contain: a complete dictionary word such as Monkeys or Bananas
Significantly different from previous passwords: Passwords that increment (Monkeys1, Monkeys2, Monkeys3 ...) are not strong.
Password or phrase contains characters from each of the following four groups: Symbols found on the keyboard (all keyboard characters not defined as letters or numerals)!@#. Uppercase letters, Lower case letters and numerals.
A stronger password may possibly look like: M0nk3>z@