843-606-6255 | INFO@NETCERTPRO.COM
NEWS



How can your Password get Hacked?



Posted: October 19th, 2018

Author: Jeremy Sonntag


How can your Password get Hacked?

It's truly surprising how many people are unconcerned with the strength of the passwords they use, when in fact everyone??s passwords are under constant attack. I often hear phrases like, "I'm not a target" and "There's nothing important there anyways". Well, my effort here will work in tandem with other pieces I have written on password security.


Don't Take Passwords Lightly

https://netcertpro.com/Full-Article/14/dont-take-passwords-lightly/


Passwords Vol. 2 The Solution

https://netcertpro.com/Full-Article/17/passwords-vol-2---the-solution/


Also, I encourage you to read Troy Hunt's article on passwords. ( founder of https://haveibeenpwned.com/ )

The only secure password is the one you can't remember -Troy Hunt

https://www.troyhunt.com/only-secure-password-is-one-you-cant/


The most common passwords from the Gawker breach:

https://goo.gl/oV5ifw

123456, password, 12345678, qwerty, abc123, 12345, monkey, 111111, consumer, letmein, 1234, dragon, trustno1, baseball, gizmodo, whatever, superman, 1234567, sunshine, iloveyou, starwars, shadow, princess, cheese




I think, if the average person takes a few minutes to understand what dangers are lurking on the internet, they can use that knowledge to better protect themselves. Below you will find a brief but hopefully clear explanation of methods in which your passwords might come into the hands of someone else.


Brute Force

Brute force is exactly what it sounds like. Try every number, letter, and symbol combination possible until the password is found. This sounds like it could take a long time, and it very well might, however, there are additional techniques attackers have developed which can sometimes yield results much quicker. A popular brute force technique referred as 'dictionary attack', where, instead of systematically trying every combination possible, it makes use of a special dictionary of words, names, popular passwords, etc., often containing hundreds of thousands of entries. There are many different brute force dictionaries that have been built, some of which target 'leetspeak' where you replace letters like 'E' with numbers '3'(J3R3MY). There are even special dictionaries which target specific industries (teachers, lawyers, or accountants), and dictionaries which target job title (CEO, CFO, accountant, human resource).

Brute forcing a password can occur any place a password exists, however some are more difficult than others. Many online entities will limit how many times you can try to enter your password before the account is locked. However, if the whole password database from an entity is stolen, there are fewer limits.


Stolen Database

When a data breach occurs at a company, often a whole database is taken. That database may contain all users and passwords (usually encrypted). This happened to Yahoo and many other companies. See here for a list of data breaches. https://goo.gl/LpohUw

Once the attacker has the data, they can begin the decryption process. This is where brute force methods can come into play. If the encryption is not strong, they will eventually be successful and have access to the usernames and passwords in that database. Following which, the compromised company will ask that you change your password for their service.

It's pretty common that stealing the database, cracking the passwords, and using the cracked passwords are all different people or groups. Usually, with each step of this process the data is sold on the dark web and another group which specializes in the next step takes over. A cybercrime production line if you will.


Password Reuse

When a password database has been compromised and cracked, as has happened many times before, the attacker will assume many users have the same password across all or many of their various accounts. Therefore, they test each listed user, password combo with a large list of popular services like Facebook, LinkedIn, email services and more. They usually have great success with this. Bad guys may go after smaller targets with less money to spend on securing their website, such as a local shop that also sells online. The users in that database are just as valuable because they likely reuse their passwords too. Then sometimes there are high profile breaches like Yahoo which reveal millions of accounts.


Social Engineering

Technology has improved exponentially over the years, as has its security, which leaves one weak link, the human. Bad guys have learned very sophisticated psychological methods to convince you to perform some action like click a link, open a file, or remit some bit of important information, your password for example. This can come in many forms. Phone calls, physical visits onsite, webpage pop-ups / redirects, but the most popular and effective is phishing. Phishing is simply social engineering via email. As for acquiring your password with a phishing attack, a popular method is to send you an email which convinces you to 'login' or 'verify account'. You click the link and happily type in your password, unaware that the site you just accessed in fact belongs to the bad guy.


Key Logger Virus

A virus is just another program, but with malicious intent. A well-crafted virus will not make itself known to the user until it is too late, if ever. Viruses can be installed or acquired in many different clever ways but usually the user, knowingly or not, chooses to install it. Once installed, a virus is limited only by the imagination of its developer. One function a virus might execute is to record and catalog all of your keystrokes, the website or resource you are using when you type and screenshots the progression. At this point, it does not matter if you change your password because the bad guy would have access to everything you have typed


Password Reset Attack

Every website and online service secures your account with a password and we humans can not remember passwords. We are terrible at it. This simple fact forces each of these services to offer some means of resetting your password. It is simple to figure out the reset process for any given service. Sign up and use the service, then 'forget' the password. Once the recovery process is known, the attacker can collect info on you then try and reset your password.


Linked Accounts

Facebook, Google, Microsoft provide a service called 'Oauth'. You have seen this before through suggestions such as, "Sign in with Facebook". If your Facebook account were accessed by someone other than you, they would have that same "Sign in with Facebook" feature you use, available to them in all the places you have set it up. Most people forget or do not even realize they use it because of the easy set-up process.


0-Day / Previously unknown hack

Software development is complicated. After long hours of hard work and peer review there are still mistakes or oversights. Interested parties find these mistakes and use them to their advantage. This is one avenue for data breaches or self-replicating viruses, depending on the type of mistake in the software. As an end user, your best protection from a 0-Day is to use reputable software, keep your software updated, use STRONG passwords, and do not reuse them. Once aware of a security flaw, companies are usually quick to fix it, but in the case of software like Windows, you still have to install the update.

Using and maintaining strong passwords is much easier than most people think. Use a password manager if you need extra help, one that has been thoroughly vetted of course. Personally, I trust Lastpass. Use a single strong password to access the 'Vault', then the rest of your passwords can look like this - qM5e^tqoU#JFo7LKl4gQu ? You should not be able to remember your passwords because they need to be secure enough to protect your information.