Leaving it Unattended Can Lead to Personal Information Leaks! Password Cracking Damage and Countermeasures

In recent years, damage such as personal information leaks and unauthorized logins due to password cracking has been increasing. Especially for companies that handle a lot of personal and confidential information, cyberattacks must be thoroughly prevented, and the best measures should be taken to prevent enormous damage.

Therefore, this time, we will introduce password cracking, its types, potential damages, and countermeasures.

Table of Contents

1. What is Password Cracking
2. User Awareness Regarding Passwords
3. Damage Caused by Password Cracking
   1. Leakage of Personal Information and Confidential Information
   2. Liability for Damages and Compensation
   3. Decline in Corporate/Website Credibility
4. Types of Password Cracking
   1. Brute Force Attack
   2. Dictionary Attack
   3. Reverse Brute Force Attack
   4. Password List Attack (Account List Attack)
5. Measures Against Password Cracking
   1. Introduction of Two-Factor Authentication
   2. Setting a One-Time Password
   3. Limiting the Number of Password Input Attempts
   4. Introduction of Personal Authentication
   5. Setting Password Security and Minimum Length
6. Summary

1. What is Password Cracking?

Password cracking refers to the act of analyzing data from SNS, membership sites, online shops, etc., to illegally deduce passwords.

It is a criminal act of using various methods to figure out passwords for websites that require login and stealing information associated with the account.

In today’s Internet-driven world, a vast amount of personal and confidential information is overflowing on the web.

One method of stealing information stored on vulnerable websites is password cracking.

2. User Awareness Regarding Passwords

According to a survey by IPA (Information-technology Promotion Agency, Japan), user awareness regarding passwords is low.

In fact, among those who answered that they manage two or more types of IDs (accounts), approximately 32.4% answered that they set different passwords for each service.

The remaining 67.6% answered that they do not change passwords depending on the service and use the same one.

In other words, if you suffer from password cracking even once, there is a high possibility that passwords used for other service sites or payments will also be cracked.

The low security awareness of users as described above will exacerbate the damage from password cracking.

3. Damage Caused by Password Cracking

The damages to companies caused by password cracking are mainly as follows:

• Leakage of personal information and confidential information
• Liability for damages and compensation
• Decline in corporate/website credibility

Now, let’s explain each type of damage in detail.

3-1. Leakage of Personal Information and Confidential Information

If password cracking occurs, the information of the logged-in account will be stolen, resulting in the leakage of personal information and confidential information.

If a website with registered bank accounts or credit card numbers is password cracked, you will suffer financial damage.

The leakage of personal information and confidential information leads to damages not only for companies but also for customers and business partners.

Therefore, websites and apps that manage personal information and confidential information must thoroughly eliminate password cracking and ransomware damage.

3-2. Liability for Damages and Compensation

If personal information or confidential information is leaked, victims may seek damages or compensation from the company that leaked it.

The larger the scale of the damage, the greater the damages and compensation liability that must be borne, which is highly likely to result in significant losses for the business.

3-3. Decline in Corporate/Website Credibility

Password cracking can be prevented by thorough security management.

Therefore, being a victim of password cracking is seen as corporate negligence and will result in a loss of trust.

Also, once an article stating that personal information has been leaked is posted on the Internet, it can be confirmed by searching.

In such cases, the company’s credibility will be continuously questioned, and it will be difficult to erase the image even if thorough security management is implemented.

4. Types of Password Cracking

There are several types of password cracking, which can be roughly divided as follows:

• Brute Force Attack
• Dictionary Attack
• Reverse Brute Force Attack
• Password List Attack (Account List Attack)

Let’s see how each method figures out passwords.

4-1. Brute Force Attack

A brute force attack is a method of analyzing passwords by entering character strings in all possible combinations.

If you have a password with a small number of characters or set to a simple word, it will be cracked by a brute force attack.

4-2. Dictionary Attack

A dictionary attack is a password cracking method that relies on human habits.

People tend to choose basic words that are easy to remember, such as:

• Birthday
• Place of birth
• Name (parent, self, child, pet)

Unlike brute force attacks, dictionary attacks attempt to decrypt passwords using meaningful word sequences, making them more efficient.

4-3. Reverse Brute Force Attack

A reverse brute force attack is a method of trying until an ID or account corresponding to one password is found.

This method is effective for websites where the number of ID attempts is limited and will not be detected by the number of attempts.

Reverse brute force attacks are launched when acquiring multiple ID lists rather than a specific ID.

4-4. Password List Attack (Account List Attack)

A password list attack is a method of illegally logging in to other websites/services using pre-obtained IDs and passwords.

People who reuse passwords are more likely to be victims of password list attacks, which can lead to the leakage of account numbers and credit card numbers.

5. Measures Against Password Cracking

To protect against password cracking, you should know the appropriate countermeasures.

Here, we will mainly explain five countermeasures, so please actively implement them to prevent attacks from password cracking.

5-1. Introduction of Two-Factor Authentication

Two-factor authentication is a method of sending a password to a registered phone number or email address when logging in for the first time and authenticating by entering the characters and numbers described.

If you set up two-factor authentication, you can prevent information leakage even if the first factor is broken by password cracking.

5-2. Setting a One-Time Password

Setting a one-time password is also an effective countermeasure against password cracking.

It is a mechanism that authenticates by entering a password that is issued every certain period of time, so there is no concern that someone will log in with the same password.

5-3. Limiting the Number of Password Input Attempts

Limiting the number of password input attempts at login is also optimal to prevent brute force attacks and dictionary attacks.

If the number of input attempts is not limited, you can enter passwords an unlimited number of times for one ID.

However, locking an account after just one failure will lead to a decline in usability.

Therefore, it may be a good idea to allow about 3 to 5 attempts with some leeway.

5-4. Introduction of Personal Authentication

There is also personal authenticat
ion where users are asked to register questions and answers that only they know in advance and enter them when logging in from a different device or location than usual.

Personal authentication is recommended from a security perspective because users can freely decide the answers.

However, there is also a risk that users themselves will forget the answers to their personal authentication questions, so the questions should be:

• What elementary school did you attend?
• What is the name of your pet?
• What is your parent’s maiden name?

Set questions that are easy to understand but cannot be answered by others on the website side.

5-5. Setting Password Security and Minimum Length

Setting password security and a minimum length makes it possible to secure a certain level of security.

If you introduce such a system, users can manage security themselves.

In recent years, many websites and companies have introduced systems related to password strength, so let’s actively introduce them.

Summary

This time, we explained the types of password cracking, potential damages, and countermeasures. As long as you handle personal information and confidential information, you must thoroughly implement advanced security management.

Also, in addition to password cracking, there are now various cyberattacks and ransomware.

Therefore, let’s meticulously implement security systems and in-house countermeasures and strive to prevent potential damage and leakage incidents.

For inquiries, please contact globalsupport@jiran.com.