When it comes to security, passwords are among the weakest link. When a bad actor gains access to your credentials, your data is almost certainly in danger of a breach. It’s hacking and data breaches that keep all CIOs and CISOs up at night. Why? Because nearly everyone is vulnerable to phishing attacks, credential stuffing, keyloggers, and so forth. It’s no joke. The number of tools and techniques available to hackers and cybercriminals is mind-boggling, to say the least. Many you haven’t even heard of yet and that’s just the beginning.
In this article, we will examine one of the top cybersecurity threats from a password perspective. We will look at some of the top tools and techniques that hackers use to gain access to passwords. We will also look at helpful tips for generating, managing, and securing passwords. If that sounds interesting, you should definitely continue reading this article.
Top Password Hacking Methods
When do you think the first hack took place? Would you imagine that it came in 1878 when Bell Telephone was started? That’s right. A group of teenagers, hired to run switchboards, disconnected and misdirected calls. However, the first real computer hackers started in the 1960s.
Oh, how the times have changed. Hackers are much more sophisticated today. Or are they? While some technics are highly sophisticated and use specially designed programs and tools, others are very simplistic and rely on naivete. Here’s a list of the top ways that hackers hack your passwords.
1) Credential Stuffing
Imagine you’re a hacker buying 100,000 usernames, emails, and passwords on the dark web. By the way, those credentials were probably hacked from a weak website, blog, or e-commerce site and then sold on the dark web.
Next, you start testing those credentials against other databases to see if there’s a match. For example, you could get your list and start testing it against banks, merchants, and other websites. Once you find a match, you’re in.
Furthermore, all of this can be automated. There are tools that test stolen credentials across multiple sites allowing hackers to quickly breach new accounts even on sites with good security.
It’s estimated that tens of millions of accounts are tested each day with the credential stuffing technique.
2) Phishing Attacks
If you thought that credential stuffing was bad, phishing is even worse because you are unknowingly giving bad actors your username and passwords.
It’s estimated that nearly 70% of all cybercrimes begin with phishing attacks. For hackers, they love this technique. It works all too well to steal your information for their own use or to sell it to others on the dark web.
How do phishing attacks work? We’re glad you asked… It’s pretty straight forward. Hackers use a technique called ‘social engineering’ to trick users into supplying their credentials to what they believe is a genuine request from a legitimate website, vendor or employer.
Phishing attacks almost always come through emails that contain a fraudulent link or a malicious attachment. When the user clicks on either, the hacker presents a fake account login page where the user enters in their credentials. Hackers may also use other forms of interception which as a man-in-the-middle attack to steal user credentials.
3) Password Spraying
A hacker may only have a list of usernames. This is pretty common. Password spraying is a technique that tests commonly used passwords against a username or account. Examples include passwords such as 123456, password, password123, admin and others.
You may be thinking that this is similar to credential stuffing. You’re right… Password spraying is very similar to credential spaying. It’s estimated that this technique is used 16% of the time in hacking passwords and accounts.
Most website and logins now detect repeated password attempts from the same IP. Hackers use numerous IPs to extend the number of passwords they can try before being detected. It could be the top 5, 10, or 100 commonly used passwords.
Keylogging. It’s not something you want to mess with. Keylogging is used in targeted attacks where the hacker knows or is particularly interested in the victim. It’s used to target spouses, colleagues and relatives. It’s also used to target corporations and nation-states.
This is a highly complicated technique that requires access or compromise of the victim’s machine via malware. You can find your favorite off-the-shelf keyloggers and commercial spyware on the internet and dark web.
With keyloggers, it really doesn’t matter how strong your password is. The hacker can see exactly what you type in for your username and password. It’s great for gaining access to bank accounts, websites and especially cryptocurrency exchanges and wallets where fund transfers cannot be reversed.
5) Brute Force Attack
When you think about sophisticated hacks, you probably visualize scenes from movies like James Bond, Mission Impossible or Borne Identity. Well, brute force attacks are probably the closest you are going to get to a real word James Bond scene.
It’s a good thing that they are among the least used. Brute force attacks are difficult to pull off, time consulting and expensive. Hackers use tools like Aircrack-ng, John The Ripper, and DaveGrohl to attempt brute force attacks on credentials.
There are two types of attacks. The dictionary attack uses every word in the dictionary as the passwords. The tools mentioned above can run and test the entire dictionary in a matter of seconds. The other type involves using the hash of the plain-text password. The goal is to hash as many plain-text passwords as possible to find a match. Rainbow tables exist which list the hashes of common passphrases to speed up the process.
Tips for Creating Strong Passwords
As mentioned, there are sophisticated hacks and simple hacks but one constant – poor username and password policies and knowledge. Here are the top tips for creating strong passwords.
1) Use Passwords With At Least 10 Characters
Your passwords should contain at least 10 characters. I know, it sounds like a lot. Long-tail, complex passwords really are hard to crack. To make your passwords complex but memorable, utilize several types of characters, a mixture of lower and uppercase letters, and symbols.
2) Don’t Use Personal Information In Your Passwords
You should avoid using personal information as these are the first options that hackers try to exploit. Hackers attempting to hack your accounts might already know personal details like your address, street, phone number, spouse’s name, children's names, pets names, birthdays, anniversaries, and so on. They'll use that information as an aid to guess your password more easily.
3) Don’t Use Commonly Used Passwords
This is one of the biggest mistakes you can use with your password. Don’t use common passwords like “password” or “123456.” These are some of the easiest passwords to hack and can lead to a serious data breach or access to important accounts.
4) Don’t Use Common Dictionary Words
This is a really tough one to put in place, but you should avoid using common dictionary words. Using common dictionary words are often used in brute force attacks. In addition, using two common dictionary words does not make your password more secure against an attack. For example, do not use “Red,” “Cars” or “RedCars.” It’s actually better to misspell or make up words if you can. Instead, use something like “RedddCarzz.” You would also want to add some other character types to it as well.
5) Use Complex Passwords With Special Characters
I mentioned that you shouldn’t use common dictionary words. The next step is to add more complexity by adding special characters. This includes replacing letters with numbers and punctuation. Here are some ideas to help you create highly-complex, unusually spelled, and unique passwords.
TotallySecurePasswords! = T0ttallySecur3Pa55w0rd5!
BeyondComplexPass# = B3yondc0mp1exPa$$#
It’s that easy. Use a phrase or word and then mix it with shortcuts, nicknames, and acronyms. Using shortcuts, abbreviations, upper and lower case letters deliver simple to remember but protected passwords.
7) Use An Easy to Remember Phrase
It’s really frustrating when you cannot remember your password. One alternative is to create a phrase and then mix it up by shortening it, adding nicknames, misspellings and acronyms. This will deliver a password that is easy to remember but safe. Here is an example.
Use something that you would only know like one of your college house addresses and how much you paid in rent or when you graduated.
CollegeRoodStHouse$750 = C0llegeR00dStHouse$750$
Make sure to mix up the words.
8) Use Different Passwords for Different Accounts
You should use different passwords for different accounts. I know, it seems like a pain but if you are using the same password across many accounts and your credentials are compromised, all of your accounts using those credentials are now vulnerable.
9) Use Password Generator and Manager Tool
Implementing strong password policies as well as training and enforcing them is a difficult task for all businesses regardless of size. With a large number of websites and accounts we access on a daily basis, there’s no logical way to remember different passwords for each account. Further, writing them down or storing them can be yet another security risk.
A password manager can help your users generate strong passwords in addition to remembering them. Instead of remembering 15-20 passwords, your users will have to remember a single root password. Now, you have to remember that a strong root password and 2FA will be critical otherwise hackers could potentially hack your password manager tool.
10) Use Two Factor Authentication
This is one of the most important password protection strategies you can have. What is two-factor authentication? Two-factor authentication, also called 2FA, is a two-step verification procedure, or TFA. It takes more than a username and password but also something which only that user has on them.
For example, after entering your username and password, you may have to further verify by using an email, phone or 2FA code generator. This adds an additional level of security and alerts users to potential hacking attempts.