Dictionary attack

We should have a good password. Now what do we mean by good password? Well
ideally, this password is not going to be in dictionary, like literally a dictionary of
English words or whatever your human language might be.
Why?
Well, there is this threat known as dictionary attack and by this, I mean an
adversary, a hacker that wants to get into your account, they could just start typing
randomly to try to figure out what your password is. But they are a little smarter
they will use dictionary attack, that they will open a physical book of words or more
likely they will open a file on their computer system containing a whole lot of actual
English words or in some other human language, and then just one at a time, try
this word as your password, this word as your password and so forth. Because if you
and I have chosen a guessable password that is an actual word in a dictionary, they
are going to get into your account much faster. But even if you and I are clever and
odds are by this point in life you know that you should not just choose simple or
some other language word, but rather you should probably have some numbers,
some letter, some punctuations, or the like you still vulnerable?
Why?

Brute for attack

Brute attack force where sone one might have had a big Branch of tree using as a
battering ram trying to get into the castles from past time
Interaction Flow:

 Attackers → Battering Ram: Attackers push or swing the battering ram towards the
target.
 Battering Ram → Castle/Fortification: The battering ram strikes the gate or wall
repeatedly.
 Castle/Fortification → Damage: The gate or wall begins to crack or splinter under the
force of the ram.
 Defenders → Attackers: Defenders launch counterattacks (e.g., arrows, boiling oil) to
repel the attackers.

But brute force attacks in the digital world means something analogously, whereby you
are using software to digitally try all possible passwords. So here too, are you vulnerable
because if your password is too short, even if it random with letters, numbers, and
symbols a hacker that has enough time and enough technical skill, they can just try
every possible password in the world and eventually they will get into your system.

So how do we go about defending against these kinds of attacks? We will use these
passwords, but these passwords come in different forms and it I kind of a low bar that is
set by default on a lot of devices still nowadays. If we use password of 4 numeric digits
alone. Now, if you have four -digits passcode or password more generally, how secure is
that? How many possible four- digit passcode is there? All digits 0 through 9, decimals
digits and if you only have four of them? How many possibilities are there? I am seeing
10000/ or 9999. The smallest password I could come up with, so to speak ,would be
0000.now you might think of, well, that is obviously 9999 possibilities but not quite
because if you include 0000,that is the 10000th possibilities .so indeed there is 10000
possible passwords if we are using 4 digits specifically.so how we do actually think about
that more generally ,especially so that we can bow figure out math for larger passwords
as well ?10X10x10x10 =10^4

Do you think it might take an adversary or a hacker to get into my device, for instance,
my phone, if I do have a four-digit password? As 10,000 possibilities because in the
easiest case, sure, they get lucky and my password is still the default 0000.but in the
worst case, I chose 9999, and they do not get to that until the very end of their attempts.
Or maybe I chose something there in between. I am seeing 10 seconds, less than second,
a millisecond so how can we go about acutely measuring this or estimating this? Let us
run simple code in visual studio, I am writing this code in python. just to demonstrate
how hacker need to do if they want to get into ,for instance ,your iPhone or Android
device or anything they have just 4 digits password .But you can imagine if I had a USB
cable or may be lighting cable, I could connect this phone to this laptop especially if it is
your phone that I just swiped from a table , could quickly plug into my computer
here ,run the code that I am about to write , and may be automatically send all 10000
possibilities to your device before you even realize the phone is gone .I will all possible
digits for the first value ,try all possible values for the 2nd digits ,the for third and fourth
digits so one way of doing this might be is as follows.
And in fact. I could probably unplug it at this point. Because I have gotten whatever
data I care about of your phone and you might not be none the wiser.

How can we improve our system?

Well, Let me impose that instead of using a four digit passcode, let use four letters code
instead and we will use English because we can speak and read well and in English there
are 26 letters of the alphabets, A trough Z that might give us 26 initially possibilities for
this position,

26x26x26x26

But we use lower and uppercase English, so possibilities for each location become 52
then for

52x52x52x52

So, I do 52 possibilities that is 52 to the fourth power

52^4 here we have estimates along the lines of indeed 7 million as well.so with 7 million
possibilities you might think, ok, that is going to be a lot better. but even four letters of
the alphabet might not be enough to keep us secure .so let us search more secure than this
method so let also use punctuation instead letters in four-digit password because in
English keyboard there is typically as many as 94 possibilities for letters ,numbers and
punctuations because we have 52 possibilities for upper and lower case letters ,0 to 9 for
decimal numbers and 32 possibilities for punctuation symbols that can add to mix well
so for four digits
 94X94X94X94=94^4

We have gone from 10000 thousands to 7 millions and now from 7 millions to 78
millions possibilities

nowadays at least a conventional eight characters and indeed most of websites and
app requires as much of you as well. if you have 94 possibilities, but you have eight
characters in total now
94^8 =6,095,689,385,410,816
So, this is 6 quadrillion possibilities. now the adversary is probably going to run out
of time, run out of energy, run out of money, this is going to take this much time to
try to crack your password.it really is this game of relativity and resources .it sort of
still the same formula, the same approach to our passwords. But as we add
complexity, and as we make it longer and longer, we are raising the bar to the
adversary. But downside is that longer password memorability is difficult so there is
need balancing between usability and security of that account.
What are other defenses against these kind of brute force attacks, or even
dictionary attacks?
Well, this is a system that you and I are increasingly being able to turn on, as well
which is, in general, probably a good thing ,2-factor Authentication is a technology
whereby in addition to having one factor that you use to login, like your password,
as is tradition. 2factor authentication is technology whereby in addition to having
one factor that you use to log in, like your password, as is tradition. you may have
second or may be more factors that you have additionally to use in order to log
in .but these factor does not just generally mean one password , two passwords or
three passwords or the like ..

And in general, they are broken down into these three categories
Three Categories of 2FA
Two-Factor Authentication (2FA) adds an extra layer of security by requiring two
different forms of verification. This helps prevent unauthorized access even if one
form of credential is compromised. Here are three common categories of 2FA:

1. Knowledge-Based Factors:
Something You Know: This involves information only you should have, such as:
Passwords: The most common form but can be vulnerable to phishing attacks.
Security Questions: Questions with personal answers but can be guessed or found
through social engineering.

2. Possession-Based Factors:
Something You Have: This involves a physical item you possess, such as: Security
Tokens: Small devices that generate time-based codes. Mobile Apps: Authenticator
apps that generate unique codes.
Hardware Keys: USB devices that require a PIN to unlock.

3. Inherence-Based Factors:
Something You Are: This involves a unique characteristic of your body, such as:
Biometrics: Fingerprints, facial recognition, or voice recognition. Behavioral
Biometrics: Typing patterns, mouse movements, or gait analysis.
Multi-factor authentication (MFA) adds an extra layer of security to your Google
account by requiring a second step to verify your identity when you sign in. Here's
how you can set it up:

Open your Google Account:

Go to Google Account.
In the navigation panel, select Security.
Set up 2-Step Verification:
Under "How you sign in to Google," select 2-Step Verification.
Click Get started and follow the on-screen instructions1.
Choose your second step:
Google Prompts: Receive a prompt on your phone to approve the sign-in.
Authenticator App: Use the Google Authenticator app to generate verification codes.
Text Message or Call: Receive a code via SMS or voice call.
Security Key: Use a physical security key for added protection12
OTP stands for One-Time Password. It's a security code that is generated and
sent to a user's device (usually a phone) for a single use. This code is used to verify
the user's identity and prevent unauthorized access to accounts or services.
How does it work?
1. User initiates a login: The user enters their username or email address.
2. OTP generation: The system generates a unique, random code.
3. OTP delivery: The code is sent to the user's registered device (usually via
SMS or a mobile app).
4. User enters OTP: The user enters the received code into the login form.
5. Verification: The system verifies if the entered OTP matches the generated
one. If it does, the user is granted access.
Benefits of using OTP:
 Enhanced security: OTPs are more difficult to intercept or hack than static
passwords.
 Reduced risk of fraud: OTPs make it harder for unauthorized individuals to
gain access to accounts.
 Convenience: OTPs can be easily generated and delivered to the user's
device.
Common use cases for OTPs:
 Online banking
 Email accounts
 Social media platforms

 Two-factor authentication (2FA)