Passwords can be difficult to remember, especially if you follow the rules to make them “strong”. They can also be fiddly to input, especially on mobile devices and small keyboards, and inconvenient and time-consuming to use considering it’s best practice to use different ones for each account. However, if a hacker determines or gains access to your security passwords, you stand to lose a lot more than your time and patience.
If all the media buzz about high-profile security breaches with millions of user credentials and passwords up for sale on the open market aren’t enough to convince you that the threat to password security is real, then a better understanding of how such attacks occur may be enough to convince you.
Brute Force Password Attacks
Brute Force Attacks involve running through as many combinations of potential passwords as necessary to hit on the right one. Attacks will typically start with the commonest or most likely (“Password”, “1234567”, or birthdays if the target is known, etc.), then progress through mixtures of numbers, letters, and other keyboard characters. There are scripts and applications written specifically for this purpose, readily available for hackers to download from the Net.
In essence these are word-based brute force attacks, with the hacker testing possibilities from a likely set of words to start, then progressing systematically through the dictionary if necessary.
The initial “dictionary” may be compiled from a knowledge of the most common passwords, and if the hacker gains access to user profiles, employment lists, or other data, the word file may be supplemented with existing usernames, birthdays, addresses, names of family members, maiden names, and so on.
Key Logger Attacks
Key Logger Attacks use the technique of malware whereby the hacker sneaks malicious code onto a user’s machine through various methods – infected email attachments, “drive by downloads” from spoofed websites, etc. This malware then sits hidden in the background, recording keystrokes as the keyboard is pressed, logging mouse movements, or even capturing screenshots. Any or all of these may then be transmitted by the key logging software back to the hacker’s servers or command and control center.
It’s not uncommon for this method to be deployed in a mass attack targeting an entire department or organization, in which case multiple passwords and user credentials may be harvested for later use.
Occasionally described as “looking outside the box“, due to past successes at gleaning user information from discarded computer packaging, print-outs and office trash bins, offline detection requires hackers to engage in some leg and groundwork, to obtain passwords and credentials by indirect means. These may include simple eavesdropping as users share their passwords with colleagues verbally, reading Post-It notes stuck onto computer screens, and “shoulder surfing” as users tap in their details onscreen.
Hashing algorithms are mathematical functions used to generate encrypted codes of reduced length from passwords and messages, before secure transmission over the internet. The processes generate hash values characteristic of each encrypted password.
Rainbow tables are compilations of these values to which hackers can refer to gain quick access to lists of encrypted credentials through a process of comparison or elimination.
Social Engineering involves exploiting human nature and gullibility. From the simple phone call from a hacker posing as someone from Tech Support at your own company and needing your password to resolve a network issue, to the phishing attack spearheaded by that urgent email from your bank’s customer service desk, these attacks draw on our natural tendency to implicitly trust the familiar, or to react in a certain way to authority.
This technique even extends to the bogus service contractor who brazenly walks into the building, flashes a fake ID and demands access to your credentials and desktop in order to resolve a glitch reported back at head office.
Spoofs and Trojans
Successful phishing expeditions or social engineering tricks may lure unsuspecting users onto false websites. These are constructed to look just like those of trusted institutions, and may host online forms where data and passwords entered into the fields are passed on to the cyber-criminals.
The same lures may also induce users to download or unknowingly become infected by Trojans – legitimate-seeming programs that turn out to be key loggers, screen-grabbers, or worse.
Finally, network traffic monitoring tools are another avenue for password hacking, as packet sniffers and similar tools may be used to intercept passwords as they’re transmitted across a network in an unencrypted or clear text form. Traditionally, this has been a big weakness of network TCP/IP tools like Telnet or Remote Access Utilities and SNMP.
So as you can see there are a variety of different tactics in which hackers can obtain access to your user credentials and passwords in order to gain access to your data. In a study conducted by WordPress Security over a 16-hour period in February of this year, researchers logged a staggering 6,611,909 brute force password attacks targeting 72,532 individual websites. The same research group estimates that hacking attempts are occurring at the rate of 114 attacks per second.
With such intense levels of activity – and options like rainbow tables and key logging making even encrypted passwords accessible to intruders – simple password protection is no longer enough. That’s why increasing numbers of organizations are adopting multi-factor authentication or MFA for user validation.
Even if an individual’s password becomes available, an attacker will face a much stiffer challenge in intercepting a text message security code sent to the user’s mobile phone, determining the one-time alpha-numeric code generated by a token device the user carries on their person, or recreating the user’s biometrics (fingerprint, voice, etc) to complete the next stage of authentication.
Let us leave you with some recommendations that might help protect you from future attacks.
- “Strong passwords” which include at least seven characters, a mix of upper and lowercase letters, numbers, and symbols. These should be changed regularly and should be different for each account.
- Password generators and managers may be used, but should come from reputable security firms and be downloaded from official websites and app stores.
- Encryption should be used for securing transactions over the internet, and on any passwords stored in secure repositories.
- Multi-factor authentication should always be an option – and the preferred one, if the technology is available.