We use passwords everywhere. We need them to log in to our websites, apps, online accounts and even the devices we access them on. Unfortunately, cybercriminals have discovered increasingly clever ways to find out what they are. To keep you up to date with their growing sophistication and to put you in a better position to defend your business and private accounts, here are seven of the most common ways hackers can crack your passwords.
1. Phishing attacks
Phishing attacks are the most common way that a hacker will attempt to get access to your passwords. They involve sending some form of electronic communication, typically email but also SMS or other forms of message, that contains a malicious link. Clicking on the link will result in malware being downloaded onto your device which will silently collect your usernames and passwords and send them to the hacker.
2. Social engineering attacks
Social engineering attacks are a specialised form of phishing that has been used heavily in recent years, particularly against businesses and their customers. The attack begins with the arrival of a seemingly legitimate email from a reputable company informing you that there’s an action you need to take. A link will be provided for you to carry out that action and when you click on it, you’ll be taken to a website and asked to sign in.
The website you are sent to is a scam site, often a clone of the genuine site with a URL that is not too dissimilar to the original. When you log in, that scam site records your username and password for the hacker’s use.
Another version of social engineering involves sending employees legitimate-looking emails that pretend to be from the company they work for. They often appear to come from people they know and trust within the organisation. These too will ask for an action to be carried out (e.g. your password is about to expire, please click here to update) and, once again, logging in will result in the login credentials being stolen.
3. Spidering
Spidering is a form of investigative hacking in which cybercriminals seek to build relationships with their victims as a way to steal passwords. In a way, it takes phishing and social engineering to a new level but the depth to which it goes to often provides better results. Hackers will often pretend to be potential clients or contractors and will ask for information about a company in the hope of gaining insights into its systems and networks. Any information it receives will then be analysed to help it find vulnerabilities to attack.
4. Password stealing malware
Our day to day use of the internet makes it possible that we can unwittingly click on malicious links or visit compromised websites. If you do, there’s the potential for malware to be downloaded to your device – especially if you do not have antivirus protection. There are specific types of malware which are designed to steal passwords, usernames and other personal information. The most common are keyloggers and screen scrapers, which record the keys you press on your keyboard or take screenshots of your activity.
5. Brute force attacks
A brute force attack is when a hacker will make multiple attempts to try and guess your password. This may look like an impossible feat, but it isn’t. Cybercriminals can cheaply purchase databases containing billions of stolen usernames and passwords from the dark web. These are then fed into password cracking tools that make use of AI and machine learning so that the guesses made, rather than being random, are algorithmically generated. The speed at which these tools make login attempts means that a password can often be cracked within minutes.
6. Rainbow table attacks
Systems generally encrypt stored passwords which means it’s impossible to discover them without having the right encryption key. Sophisticated hackers keep directories of stolen passwords and their associated encryption keys, helping them cut the time needed to break in. A rainbow table attack, meanwhile, uses an encryption algorithm to generate a list of every potential plain text password. These are then compared to the encrypted passwords on an organisations system to speed up the discovery of the right version.
The enormous number of possible passwords in a rainbow table means they can be terabytes in size. As a result, cybercriminals are making increased use of the cloud to help them process the data during an attack.
7. Network analysing tools
Network analysis tools enable cybercriminals to intercept data sent over a network and steal any unencrypted passwords they contain. To carry out an attack, hackers need physical access to the network or the use of malware.
SSL and other forms of encryption are the best defence against this type of hacking, together with VPNs. Companies can use network analysis tools themselves to discover if they have plain text passwords unwittingly being transmitted.
Conclusion
The growing number of sophisticated ways hackers can find passwords means organisations have to continually find better ways to protect themselves. Today, there are numerous defences you can use: encryption, SSL, email signing certificates, firewalls, antivirus, intrusion protection, email filters, logical access control, multi-factor authentication and biometric authentication, for example. Additionally, the training of staff and the implementation of rigorous security policies and procedures can also help.