In cyber-attacks, an attacker compromises the database of the application or system. So basically the password and the user information are the most sensitive things that an organization can have. In that situation, if an organization wants to save the password in such a way that an attacker cannot get it, even if they got the database. In today’s applications and frameworks have the built-in functionality to store the password securely.
There are a lot of methods that are being used to save the password. Let’s understand how we can create or store a password so it becomes very hard to crack them even if they were compromised.
How did the hacker crack the password?
To protect passwords, companies can use hashing, encryption, or some other manual approach. However, in some circumstances, organizations choose not to use hashing or encryption to secure passwords, preferring instead to employ a manually constructed method in order to secure the password.
- In this case, the attacker chooses any password that he believes will be a good combination with the victim’s password.
- Calculates the hash of that password.
- Now the attacker compares the hash calculated by him with the hash of the dumped password. If both matches it means the chosen password is correct, otherwise the chosen password is incorrect.
This is a repetitive process until the correct password attacker has to repeat it. Sometimes this list can be large so the attacker has to repeat it until the potential candidate password. Therefore, for the selection of candidate passwords there exists multiple options. Such as
- List of passwords obtained from multiple Compromised websites.
- Dictionary attack: Attackers use those words that are available in the dictionary.
- Brute force attack: Attackers use the same action multiple times by taking words from the list.
- Make a list from commonly used passwords and then use that list