INSIGHTS FROM ENGINEERS
Learn How Passwords Get Hacked
Passwords can be stolen in many different ways.
So that you have an understanding as to why there are several requirements to password creation and protection, we thought it might be helpful to give you a “behind the scenes” view of how passwords get hacked, and methods by which your “S3cRetC0dE123!” can be nabbed by bad actors.
Brute Force Password Cracking
When most people think of having their password hacked, they usually think of the “trial and error” approach. Think of a bad actor figuring out your password by an algorithm programmed to rifle through millions of possible character combinations, and possibly using some social engineering methods to get you to share with him the maiden name of your grandmother, the date your kid’s birthday, and the make or model of your first car. How passwords get hacked is often by this method of brute force password cracking, and for this reason password length and complexity is an important part of security.
How to Prevent Brute Force Password Cracking
WATCH VIDEO There are 5 Elements to strong and secure password creation and maintenance:
• Avoid common knowledge references
• Use different passwords for different accounts
• Use complexity
• Whenever possible, give your passwords “special characters”
• Change your passwords every 3-6 months
One of the most common ways that a password can be stolen is by spoofing. If a bad actor successfully spoofs a wireless network, he will have access to information of every user that has connected to it before and their corresponding saved password. Also, no spoofing is even necessary if the wireless network is an open network that the user can connects to automatically. If you are running windows, all you have to do is open a command prompt and type the command netsh wlan show profile. This will give you the list of every stored wireless profile that your computer has connected to in the past.
If you have a saved profile that has the stored credentials and is set to connect automatically, it is broadcasting this information. To illustrate, from the perspective of the unsuspecting end user, this is like walking through a crowded area asking out loud, “Are you my brother?” to the present population. If someone is maliciously looking to take advantage of you, they will answer “Yes, I am your brother!” and make that connection. Then, at that point, they can see all of the communication that you are doing. If they have a decrypter involved, they can also see all of your data. So to be clear, if you have a stored wireless profile that is “MyHomeWifi” with a password of “JuneMyFavoriteMonth2020!”, you are broadcasting that information, just like the “Are you my brother?” example above. All it takes is someone to pretend to be your home wireless, which is what a Spoofer does. Then they can connect your device to the connection that they will “provide” you. Now once they are connected they will capture your traffic and utilize it to get usernames and passwords to everything that you access from your device.
How to Prevent Spoofed Password Compromise
A good way to limit this type of password compromise is to never store wireless profiles and credentials on your system. Never connect automatically to a stored wireless profile. Unfortunately, due to ease of use, many users set their systems to automatically connect. But since this practice leaves you vulnerable to the spoofing strategy, it is wise to avoid it.
Another common way passwords are stolen is by hash cracking. In this method, passwords in a computer system are not stored directly as plain text, but are hashed using encryption. Passwords are normally stored in one-way hashes to obfuscate them. Hashes are made to be one-way, which means that reversing the algorithm is impossible. Whenever a user enters a password, it is converted into a hash value and is compared with the already stored hash value. If the values match, the user is authenticated.
New thoughts about password creation are fun… and you will likely find them incredibly liberating!
How to Prevent Hash Cracking
Hash cracking is avoided with good password length and complexity.
In fact, because of the hash cracking technique, it has led many to re-assess what it means to have a secure password.
WATCH VIDEO to learn that the old rules are being challenged by these new rules:
3 DOs and 4 DON’Ts:
1: DO Focus On Length Over Complexity
2: DO Keep It Weird
3: DON’T Repeat Yourself
4: DON’T Double Dip
5: DON’T Change Too Often
6: DON’T Panic!
7: DO Put On Extra Layers
A rainbow table (also called lookup tables) is a database that is used to gain authentication by cracking the password hash. It is a pre-computed dictionary of plaintext passwords and their corresponding hash values that can be used to find out what plaintext password produces a particular hash. Since more than one text can produce the same hash, it’s not important to know what the original password really was, as long as it produces the same hash.
A rainbow table works by doing a cryptanalysis very quickly and effectively. This is unlike the brute force attack, which works by calculating the hash function of every string present, then calculating the hash value, and lastly comparing it with the one on the computer. Instead, a rainbow table attack eliminates this need by already computing hashes of the large set of available strings. There are two main steps in this method, creating a table and cracking the password.
Defense Against Rainbow Table: Make Sure that Password is Loooong
Just as with regular hash cracking, having a 25-30 character password will make the rainbow table method useless to the would-be attacker. So come up with your silly sentence long password, and know that it it going a long way to protect you from all these hacks on hashes!
AND FINALLY… There’s No School Like Old School:
Keyloggers and Shoulder Surfing
Spying on victims to learn their passcode is, of course, the original approach for how passwords get hacked. These methods by which a bad actor can learn your passwords are all still very much in use.
A keylogger is a software program that does just whta the name says: it logs keystrokes. So if your computer system has been infected with a malicious keylogger, it would be sending out to a bad actor every stroke you type, including your passwords.
As for shoulder surfing, there are several methods by which can learn your password, some without any diffuculty at all. Got your password on a post-it at your desk? A bad actor in the office or attending that Zoom conference with a clear view of it can now break in to your account without effort.
Shoulder surfing is lagely a social engineering option for password compromise, and if not done by direct observation of the password, it can be done through recording techniques, utilizing a recording software or device.
Protection from Shoulder Surfing & Keyloggers
Just two solutions necessary to solve these problems:
Disagree With Us on Password Theory?
We understand if you hold to different convictions on this subject. And, quite honestly, if you do we want to hear from you! Cybersecurity experts all agree about the many ways how passwords get hacked, but we can have diverse ideas on effective countermeasures. Our passion is security, and we are open and receptive to new insights and perspectives that might least to a more secure network. Contact us at info@securenetworkers to share with us your thoughts, or call us at (281) 651.2254, or complete the inquiry form below!
“Length Over Complexity”