In CTF lab experiment we exploited the fact that user password in slightly modif
ID: 3917449 • Letter: I
Question
In CTF lab experiment we exploited the fact that user password in slightly modified form is present on the index page of the site itself. A more acceptable practice would be to have a password without any correlation to the application content and/or your personality so it would be hard for guessing. The best practice tells us to have completely random password comprised fro 16+ characters from 3+ different character classes... All these advises are good but still there are millions of passwords in the wild that don’t withstand any reasonable criticism. You can check some of your favorite ones (assuming you re-use the same passwords on multiple resources which is a bad practice by itself) at https://haveibeenpwned.com/Passwords.
Discuss on the topic of how different password patterns contribute to its strength/weakness? Consider most common practices of password breaking including but are not limited to dictionary attack (as in CTF experiment), pure bruteforcing, random generator hacking. Have in mind that vast majority of users still rely on memorization of their passwords, so they keep their passwords simple, logical, and reproducible. Think of a good ”social engineering” trick that could help a hacker to ”break” such logical passwords.
Explanation / Answer
Different password patterns allow the user to be more confident about his security as it’s less likely to be hacked or assumed by unknown.
Weak are the one that can be easily predicted or with little efforts. People use them as they are easy to memorize. Password is weak because of some reasons:
Some Social engineering tricks that helps hackers to gain financial benefits are through many ways such as phishing, whaling etc.
Some tricks which are getting common day by day contains the following scenarios:-
1) Email from a friend:
If the hacker is your known person with malicious plan to get your contacts from your phone/email ,Bank accounts details, social media accounts etc. He/she may act if they are trustworthy. And if you give them anything at once or he/she peeps into your mobile or email just by being friendly. They can use your contact list or emails of your contacts to send malicious contents and pretending that they are YOU to your friends. If your known ones reply them with a particular reply they are waiting for such as strong logical passwords of bank account, social media accounts etc. They would not take a second to hack them and run away.
Hence, Criminals are hacking accounts, stealing passwords and messaging as friends for their benefit.
2) Ransomware:
Hackers do target by convincing their targets to install software (mainly Antiviruses, system boosters, cache cleaners etc. ) onto their computer. They locks their computer by initially encrypting the data from their computer. When the target contacts on the number provided by the hacker to resolve the issue. They ask for account details or to send ransom ( generally, hundreds /thousands of dollars).
But often , the hackers take the ransom and do not unlock the computer because they would be able to use all your credit card information or your money which can permit them to access your all other kinds of account.
Other than popular ones, these tricks could be possible:
1) They could send you an email regarding awaring or helping you to strengthen your password.
You may click on the link assuming you are not going to provide any details but to check out of curiousity.
You may think that you are not actually providing them a password but to check if your password has an enough strength to be secured. Even though you do not give them a password but testing the text you entered gets recorded there and then they use those text you entered any number of times to access your all kind of accounts to steal information and get financial gain.
2) They may call you from some banks to get bank account details.
Recommendations for above: