Passwords 101

Unlike basketballs, “passwords” are things we don’t want to be passed around, especially in a society built around the idea that “mystery” is appealing.

We like to keep secrets, it makes us feel special and unique knowing that something is specifically just for us, and, as mentioned before, we love information, we love knowing, learning, and to get to information regarding a particular person, group or even an app, we need to open a certain door, and for that, we need a key.

People lie, cheat, deceive, planning a surprise or even just hiding the fact that they are not the Nigerian prince we thought they were, and they use a key to lock it all down just like a diary with a lock on it we all had growing up (right?), we use passwords to make sure people won’t be able to gain access to our “chats” with others on Facebook (sorry, “Meta”), Instagram and other platforms, we don’t want people to see the way we interact with others, besides, most importantly, we don’t want other people to make actions on our behalf, especially with the fact that others think we’re the one making those actions.

A few small (yet big) things regarding passwords:

  1. Many platforms\systems demand that every user will own a public key (username, nickname and such) that everyone can see, and in addition, you also need a private key (the password only available to you), in those cases the system use Asymmetric Cryptography (Public-key cryptography).
  2. When creating a password it’s best to make it as complicated as possible, the more complicated the password – the safer, you can add capital letters, special characters (such as @, #, % and so on), and even combining everything with numbers.
  3. Many systems will “block” a user (or a “so-called” user) from inputting his password after a few attempts, they do it to prevent User Enumeration that can be achieved via types of attacks called Brute Attacks.

What is User Enumeration ?

It’s a vulnerability (god, i hate those) and this vulnerability allows a malicious attacker (attacker) to rename user names in various services, with the help of permissive settings in Web applications and with the correct use of Brute-force the malicious attacker can reveal the username of the administration panel for example.

The system doesn’t stop us from trying to “get in” because it’s not friendly, it’s doing it in order to protect us, since our “Username” is publicly visible, the attacker only needs your password, and whats stopping him from “guessing” until he gets the right one? Exactly the way those systems work, they suspect – and react.

“Brute-Forcing” is similar to pounding on a wooden door until it breaks, you try and try until it eventually breaks.

And you’re probably thinking “well, even if the system won’t block the attacker it could probably take months”, well, guess again!,

Today there are plenty of Softwares and apps that do everything Automatically!

“Brute-Forcing” is easier than ever!”

So, what do we do? how do we stop the attackers from posting photos of cats all over our “wall” in our name?

Well, first, don’t create a user that may contain sensitive data on untrusted platforms, secondly, make your password complicated, even if you forget it, it’s better than someone else accessing it, and, don’t forget to make sure your system is immune to those horrible Brute-Force attacks!

And remember, turn to the PROS for a “Kitty-free” walls, and a no-headaches environments.

Stay safe out there, choose Kayran.

Bug Bounties

As pirates, we all love plundering, we all love raiding, but mostly, we all love bounties, especially Bug Bounties. Let’s talk about it. Bug Bounties

Read More »

HAR Files

In this article, I’ll talk and explain about HAR Files, so if you don’t know what they are, or, what do we use them for,

Read More »