For the longest time, password was seen as an acceptable form of protecting one’s digital privacy. However, as biometrics and cryptography began to be increasingly available to the public, the flaws of this simple method of authentication had become increasingly noticeable.
After all, a leaked password became the centerpiece of the biggest cyber security story of the last 12 months – the Solarwinds hack.
However, even if the password wasn’t leaked, it wouldn’t be hard for cyber criminals to guess it. After all, in the words of US politician Katie Porter, most parents use a stronger password to prevent their offspring from “watching too much YouTube on their iPad”.
Weak and easy-to-guess password is more prevalent than one would expect: recent findings from the NCSC revealed that almost one in six people use the names of their pets as their passwords, making it a highly-predictable choice. Making matters even worse, these passwords also tend to be reused across different sites.
This is why it should come as no surprise that passwords are a cyber security expert’s worst nightmare. However, there are steps worth taking in order to remedy this issue: while biometrics and cryptography could bolster a company’s security, robust multi-layer authentication is a must. Apart from these, mitigating risks also means being aware of the steps cyber criminals take to hack your account.
As the famous saying goes: know your enemy! This is why we’ve collated the 9 password-cracking techniques used by hackers, in order to give you and your business a better idea of what to look out for.
Keyloggers, screen scrapers, and a host of other malicious tools all fall under the umbrella of Malware, malicious software designed to steal personal data. Alongside highly disruptive malicious software like ransomware, which attempts to block access to an entire system, there are also highly specialized malware families that targets password specifically.
Keyloggers, and their ilk, record a user’s activity, whether that’s through keystrokes or screenshots, which is all then shared with a hacker. Some malware will even proactively hunt through a user’s system for password dictionaries or data associated with web browsers.
- Brute force attack
Brute force attacks refer to a number of different methods of hacking that all involve guessing passwords in order to access a system.
A simple example of a brute force attacks would be a hacker simply guessing a person’s password based on relevant clues, however, they can be more sophisticated than that. Credential recycling, for example, relies on the fact that many people reuse their passwords, some of which will have been exposed by previous data breaches. Reverse brute force attacks involve hackers taking some of the most commonly used passwords and attempting to guess associated usernames.
Most brute force attacks employ some sort of automated processing, allowing vast quantities of passwords to be fed into a system.
Perhaps the most commonly-used hacking technique today, phishing is the practice of attempting to steal user information by disguising malicious content as a trustworthy communication.
The typical tactic is to trick a user into clicking on an embedded link or downloading an attachment. Instead of being directed to a helpful resource, a malicious file is downloaded and executed on the user’s machine. What happens next depends entirely on the malware being executed – some may encrypt files and prevent the user from accessing the machine, while others may attempt to stay hidden in order to act as a backdoor for other malware.
As computer literacy has improved over the years, and as users have grown accustomed to online threats, phishing techniques have had to become more sophisticated. Today’s phishing usually involves some form of social engineering, where the message will appear to have been sent from a legitimate, often well-known company, informing their customers that they need to take action of some kind. Netflix, Amazon, and Facebook are often used for this purpose, as it’s highly likely that the victim will have an account associated with these brands.
The days of emails from supposed princes in Nigeria looking for an heir, or firms acting on behalf of wealthy deceased relatives, are few and far between these days, although you can still find the odd, wildly extravagant, claim here and there.
Our recent favorite is the case of the first Nigerian astronaut who is unfortunately lost in space and needs us to act as a man in the middle for a $3 million dollar transfer to the Russian Space Agency – which apparently does return flights.
- Network analyzers
Network analyzers are tools that allow hackers to monitor and intercept data packets sent over a network and lift the plain text passwords contained within.
Such an attack requires the use of malware or physical access to a network switch, but it can prove highly effective. It doesn’t rely on exploiting a system vulnerability or network bug, and as such is applicable to most internal networks. It’s also common to use network analyzers as part of the first phase of an attack, followed up with brute force attacks.
Of course, businesses can use these same tools to scan their own networks, which can be especially useful for running diagnostics or for troubleshooting. Using a network analyzer, admins can spot what information is being transmitted in plain text, and put policies in place to prevent this from happening.
The only way to prevent this attack is to secure the traffic by routing it through a VPN or something similar.
- Offline cracking
It’s important to remember that not all hacking takes place over an internet connection. In fact, most of the work takes place offline, particularly as most systems place limits on the number of guesses allowed before an account is locked.
Offline hacking usually involves the process of decrypting password by using a list of hashes likely taken from a recent data breach. Without the threat of detection or password form restrictions, hackers are able to take their time.
Of course, this can only be done once an initial attack has been successfully launched, whether that’s a hacker gaining elevated privileges and accessing a database, by using a SQL injection attack, or by stumbling upon an unprotected server.
- Shoulder surfing
You might think the idea of someone looking over your shoulder to see your password is a product of Hollywood, but this is a genuine threat, even in 2021. Brazen examples of this include hackers disguising themselves in order to gain access to company sites and, quite literally, look over the shoulders of employees to grab sensitive documents and passwords. Smaller businesses are perhaps most at risk of this, given that they’re unable to police their sites as effectively as a larger organization.
Security experts recently warned of vulnerability in the authentication process used by WhatsApp. Users trying to use WhatsApp on a new device must first enter a unique code that’s sent via a text message, which can be used to restore a user’s account and chat history from a backup. It was found that if a hacker was able to obtain a user’s phone number, they are able to download the app to a clean device and issue a prompt for a new code, which, if they are in spying distance, they could copy as it arrives on the user’s own device.
- Dictionary attack
The dictionary attack is a slightly more sophisticated example of a brute force attack.
This uses an automated process of feeding a list of commonly-used password and phrases into a computer system until something fits. Most dictionaries will be made up of credentials gained from previous hacks, although they will also contain the most common passwords and word combinations.
This technique takes advantage of the fact that many people will use memorable phrases as password, which are usually whole words stuck together. This is largely the reason why systems will urge the use of multiple character types when creating a password.
- Mask attack
Where dictionary attacks use lists of all possible phrase and word combinations, mask attacks are far more specific in their scope, often refining guesses based on characters or numbers – usually founded in existing knowledge.
For example, if a hacker is aware that a password begins with a number, they will be able to tailor the mask to only try those types of passwords. Password length, the arrangement of characters, whether special characters are included, or how many times a single character is repeated are just some of the criteria that can be used to configure the mask.
The goal here is to drastically reduce the time it takes to crack a password, and remove any unnecessary processing.
If all else fails, a hacker can always try and guess your password. While there are many password managers available that create strings that are impossible to guess, many users still rely on memorable phrases. These are often based on hobbies, pets, or family, much of which is often contained in the very profile pages that the password is trying to protect.
The best way to remove this as a potential avenue for criminals is to maintain password hygiene and make use of password managers, many of which are free.