With a compromised password, it’s not just your account or information that remains vulnerable. Hackers typically steal passwords as the first leg of a larger attack; and build up to exploit your compromised account for accessing other systems or use it for malicious activities. I’ve seen cases where people’s bank accounts have been emptied, their credit ruined, or even their whole identity stolen.
I have been also writing about novel, sophisticated cyber attacks that are designed to evade detection and persist in a target’s device/network for an extended period. And if reports are to be believed, such attacks are usually orchestrated by state-sponsored hackers or well-funded criminal organizations.
Although this may sound scary, such attacks are still preventable.
In this article, I discuss how hackers get passwords through malicious techniques, common techniques attackers use for password attacks, the impact of such attacks, and prevention techniques to protect your passwords.
How Do Hackers Get Passwords?
Hackers retrieve passwords by illegally acquiring a user’s login credentials, typically through malware, phishing, or social engineering techniques. Once a victim’s credentials are compromised, they can use the compromised password to access sensitive information or perform other malicious actions on the victim’s behalf. Such actions include accessing financial accounts, stealing personal information, or using the victim’s account to install malware and send spam to susceptible users.
Types of Password Attacks
There are several types of password attacks that attackers use to obtain access to a user’s account:
Brute Force Attacks
A Brute Force attack is an attacker’s method to hack passwords by guessing the correct password. This password-hacking process is usually executed by automated software that systematically checks all possible characters, including numbers, symbols and letters, until the correct password is exposed.
Although the attack mechanism is time-consuming, it can successfully break weak passwords with adequate computational power. As these attacks can be directed against a single account or multiple accounts simultaneously, the impacts of such attacks are typically severe for a target organization.
Dictionary Attack
In this attack, hackers obtain passwords using a pre-compiled list of commonly used words and passphrases to guess repeatedly until the password is found. Unsurprisingly, dictionary attacks are often used to crack simple or easily guessed passwords and are extremely effective against users who choose weak or easily guessable passwords.
Keylogger Attack
Keylogging is the practice of tracking and recording the keys that a user presses on their keyboard. Keylogging attacks are orchestrated by installing malware on the targeted device to record keystrokes as they are entered and transmitting them back to the attacker.
Although it is illegal to use keyloggers without the consent of the person being monitored in most jurisdictions, some legitimate use cases involve employers running keyloggers to monitor their employees and parents monitoring their children’s computer activity.
Credential Stuffing
Credential stuffing is a form of cyber attack where hackers attempt to gain unauthorized account access by using automated tools to test a large number of username and password combinations. To achieve this, attackers typically use lists of credentials obtained from previous data breaches, which are then used to try and gain access to other accounts.
Automated tools used in credential stuffing attacks can try thousands of combinations in a short period of time, making it a highly efficient method for hackers to gain access to a large number of accounts. This can be especially dangerous when the attackers can gain access to sensitive or personal information or if they can use the compromised accounts to launch other attacks.
Social Engineering
Social engineering is a tactic used by attackers to manipulate and deceive individuals into divulging key information or performing actions that may compromise security. This can include tactics such as baiting, pretexting, and quid pro quo.
Baiting is a tactic that uses a promise of something desirable, such as a prize or access to exclusive information, to entice the victim into providing information or performing an action.
Pretexting involves creating a false sense of urgency or authority to trick the victim into providing account information or performing an action.
Quid pro quo involves offering something in return for sensitive information, such as technical support in exchange for a password.
Phishing Attack
In this attack, a hacker follows a social engineering technique by trying to trick users into revealing their credentials by sending phishing emails, text messages or fake website links that look similar to a legitimate one. A common approach by attackers is the use urgent language or create a sense of urgency to trick the victim into taking the desired action, such as clicking on a link or providing personal information.
Common Password Attack Risks (Image Source)
Common Password Stealing Methods
There are various methods that hackers commonly use to retrieve passwords maliciously:
Password spraying
Password spraying involves attempting to log in to a large number of accounts using a small number of commonly-used passwords. A common technique is to use automated tools to try a specific password against a large number of usernames and email combinations. Unlike a brute force attack, where the attacker tries many different passwords for a single account, in a password spraying attack, the attacker uses a single password against many different accounts.
The goal of a password spraying attack is to identify online accounts that have weak passwords and then use those stolen passwords to gain unauthorized access to sensitive information or launch further attacks. This attack is often used against large organizations, such as corporations or government agencies, where there may be many potential targets.
Shoulder Surfing
Shoulder surfing is an information gathering technique where an attacker is physically present and observes the victim entering information such as login credentials or personal information, into a device or system. Commonly used in public spaces like ATMs, bank counters, internet cafes, and airports, shoulder surfing can be done in person by standing behind the victim and looking over their shoulder or by using surveillance cameras or binoculars to observe the victim from a distance. The attacker then uses this information to gain unauthorized access to the victim’s accounts or steal their identity.
Password Hash Cracking
A password hash is a one-way encryption of a plaintext password, in which the plaintext password is processed through a cryptographic algorithm, resulting in a fixed-length string of characters (the hash). Password hash cracking attempts to determine the original plaintext (unencrypted) password from a given hash. It is typically done using a precomputed table of hash values for common words and phrases to generate and compare potential plaintext passwords.
Password Guessing
Password guessing is a method of determining a user’s password by trying different combinations of characters. These can be done manually by trying different combinations of letters, numbers, and symbols or automatically using software that can quickly generate and try large numbers of combinations.
Unauthorized Password Resetting
Unauthorized password resetting is a type of cyber attack in which an attacker attempts to gain access to a user’s account by resetting their password without their knowledge or permission. These can be done by exploiting vulnerabilities in the password reset process, such as guessing security questions, tricking a user into providing personal information or gaining access to their email account.
Impacts of Password Attacks
Potential impacts of password attacks can vary depending on the type of attack, the target, and the level of success achieved by the attacker. Some impacts of successful password attacks include:
Financial Loss
One typical example of financial loss is when an attacker uses stolen login details to gain unauthorized access to a financial account, such as a bank account or credit card and makes unauthorized transactions. These can result in direct financial losses for the account holder and potential long-term damage to their credit score.
Loss of Sensitive Data
Loss of sensitive data refers to the unauthorized disclosure, dissemination, or exposure of confidential information, such as trade secrets and intellectual property, which are then sold over the dark web. For individuals, it can lead to identity theft, financial fraud, and other forms of financial loss, while for organizations, it can result in reputational damage, legal and regulatory penalties, and financial losses.
Email/Account Takeover
An attacker can use the stolen credentials to log in to your email and social media accounts, and use the unauthorized access to launch further attacks, such as sending phishing emails to the victim’s contacts or attempting to gain access to other accounts. They can also use the account to steal personal information, make unauthorized purchases, or commit other types of fraud.
Damage to Reputation
It refers to harm caused to an individual or organization’s reputation due to negative publicity, especially if sensitive details are shared publicly. These can lead to negative perceptions from customers, partners, investors, and the general public.
Operational Disruptions
Password attacks commonly lead to the interruption or cessation of normal business operations. These can result in loss of productivity, and revenue, shutting down websites, disabling systems, and employees’ access to the company’s systems.
Legal Liability
This refers to the potential legal and regulatory penalties an organization may face when it fails to comply with data protection and privacy regulations, such as customers’ personal and financial information.
Best Practices to Prevent Password Attacks
Securing account information and data is a shared responsibility of individuals and enterprises in their own respective capacities. There are several steps that individuals or businesses can take to prevent password attacks. These include:
Use Strong and Unique Passwords
Using strong and unique passwords is one of the most effective ways to protect yourself from password attacks. A strong password is one that is difficult to guess or crack, and a unique password is one that is not used for any other accounts.
It is recommended to create strong passwords for each account using a combination of lowercase and uppercase letters, special characters and numbers. While a unique and strong password is complex for others to guess or crack, it is equally important to use different passwords for different accounts and avoid using just one password for each account.
Quick Tips:
Use non-guessable passwords and avoid using easily guessable information, such as your name or birthdate.
Regularly changing your passwords is also a good idea, at least every 3-6 months, especially if you suspect your account has been compromised or if the account contains sensitive data.
Enable Two-Factor Authentication
Enabling two-factor authentication (2FA) adds an additional layer of security to your accounts by requiring a second form of verification, in addition to your password. This can include a code sent to your phone via text message, a code generated by an app, or a fingerprint scan.
When an attacker attempts to login to your account, they will be prompted to provide the second form of verification, which they would not have access to, making it much more difficult for them to gain unauthorized access. Even if the attacker has obtained your password through a data breach or phishing attack, they will not be able to login without the second form of verification.
Quick Tips:
Use an authenticator app such as Google Authenticator or Authy to generate the second form of verification; this will help you keep track of all your 2FA codes in one place.
Be sure to keep your 2FA device or app secure and protected by a strong passcode or biometric lock.
Use a Password Manager
A password manager is an application that helps users securely store and manage their passwords. These applications use encryption to protect the passwords and allow users to create complex, unique passwords for each account. A password manager can also automatically generate strong passwords and fill in login information on websites, saving the user from remembering multiple login credentials.
Quick Tips:
Use a reputable password manager such as LastPass, 1Password, and Dashlane.
Store important information such as security questions and answers or recovery email addresses in your password manager.
Be Wary of Phishing Attacks
Be wary of unsolicited emails, messages, or phone calls asking for personal information. It is recommended to always verify the authenticity of the sender before providing any information. In addition, be cautious of clicking on links or downloading attachments from unknown sources. To make sure a website is secured (HTTPS), always double-check the website’s URL before entering personal information.
Quick Tips:
Be careful of emails or messages that create a sense of urgency or fear, asking you to take immediate action.
It also recommended using anti-virus software and a spam filter to block malicious emails.
Keep Your Computer Updated
Keeping your computer updated is essential to maintaining your device’s security and performance. Software updates often include security patches that fix known vulnerabilities that hackers could exploit.
In addition to security patches, software updates also include new features and improvements to performance, stability and usability. It is also important to note that critical updates must be installed as soon as possible to prevent vulnerabilities from being exploited.
Quick Tips:
Set your computer to install updates or check for updates regularly and automatically.
Avoid downloading software from untrusted sources.
Be aware that some updates may require you to restart your computer, so plan accordingly.
Be Careful With Public Wi-Fi
When using public Wi-Fi, you must be careful about the information you share and the websites you visit. For example, avoid accessing sensitive data, such as online banking or email over a public network. In case, using a public wi-fi to access sensitive data is unavoidable, using a Virtual Private Network (VPN) is a recommended practice. A VPN encrypts your internet connection, making it more complex for hackers to intercept your data.
Quick Tips:
Avoid using public Wi-Fi networks that are not secured with WPA2 encryption.
Disable file sharing when connected to public Wi-Fi networks.
Use Hashing Algorithms to Prevent Password Theft
Passwords can be securely stored using a method called hashing. A hash function takes an input (or “message”) and returns a fixed-size string of characters, which is typically a “digest” that is unique to the original input.
When a user creates a password, it is run through a hashing algorithm, and the resulting hash value is stored in password authentication databases. When the user attempts to log in, the system runs the entered password through the same hashing algorithm and compares the resulting hash value to the stored hash value. If the two values match, the user is granted access.
Several hashing algorithms are commonly used to protect passwords:
Bcrypt is designed to be slow and computationally expensive, making it difficult to crack the hashed password through brute force.
Scrypt is a password-based essential derivation function designed to be more secure against hardware brute-force attacks than bcrypt.
Argon2 is designed to be resistant to GPU-based cracking attempts.
PBKDF2 uses a pseudorandom function, such as a cryptographic hash algorithm, to stretch a user’s password into a longer and more complex string.
How Can Government and Industries Protect You From Password Attacks?
Federal agencies and industries play a key role in preventing cyber attacks. Some key steps taken to build password attack defenses include:
Regular monitoring for suspicious activity using Intrusion Detection and Prevention Systems (IDPs) to detect and respond to password spraying.
Implementing incident response policies, such as planning and drills to respond quickly and effectively to security breaches, including password cracking.
Federal agencies can pass laws and regulations requiring organizations to implement reasonable security measures, such as regularly updating passwords and reporting security breaches.
Regulators can also raise public awareness about the importance of password security and provide resources to help individuals and organizations protect themselves.
Developing and implementing security technologies, such as software, hardware, firewall and Security Information and Event Management (SIEM) solutions, in helping organizations monitor, detect and respond to password attacks.
Closing Thoughts
Password attacks are a severe threat that can significantly impact individuals and organizations. Hackers get passwords using various methods, such as brute force attacks, dictionary attacks, phishing, keyloggers and credential stuffing, to obtain login credentials and gain unauthorized access to steal personal data.
It’s important to remember that no security measure can provide comprehensive protection. Therefore it’s essential to be aware and vigilant by continuously monitoring and updating security measures and being prepared to respond to an attack.
How Do Hackers Get Passwords – FAQs
What Are Plain Text Passwords?
Plain text passwords refer to passwords that are stored in a system or database in unencrypted or unmodified form. In other words, they are not encrypted passwords and can be easily read by anyone with access to the database where the passwords are stored.
What Is Identity Theft?
Identity theft is the unauthorized use of another person’s personal information, such as their Social Security Number, name, credit card number, or other identifying information, to commit fraud or other crimes.
What Is a Passwordless Authentication System?
Passwordless authentication is a form of authentication that does not rely on using a user’s password. Instead, it uses other forms of authentication, such as biometrics, SMS, and email-based authentication.
Can Multi-Factor Authentication Protect Against Password Attacks?
Yes, multi-factor authentication (MFA) can help protect against password attacks. MFA adds an extra layer of security to your account by adding additional factors — such as a security code, facial recognition or fingerprint — to authorize access.
How Do Password Attacks Relate to Other Forms of Cyber Attacks?
Password attacks are one type of cybercrime focused on gaining unauthorized access to a person’s or organization’s accounts by guessing or stealing passwords.
What Are Examples of Commonly Used Passwords?
Some examples of commonly known passwords are:
12345678
password
qwerty
welcome
What Are the Organisations That Help Protecting Passwords?
Several organizations that offer guidelines or solutions for protecting passwords include:
What Are Failed Login Attempts?
Failed login refers to instances where a user has attempted to log in to a system, such as a website or a network, but the system did not recognize their credentials (e.g. username and password).
What Are Default Passwords?
Default passwords are pre-set passwords assigned to devices, software, or accounts when they are manufactured or created.
What Is Password Hygiene?
Password hygiene refers to best practices and guidelines for creating, storing, and using passwords. It includes using strong, unique passwords for different accounts, regularly changing passwords, and not sharing passwords with others.
How Often Should I Change My Password to Protect Against Attack?
It is generally recommended that you should not reuse passwords or not use the same password for multiple sites. It is also essential to change it regularly, at least every few months, to protect against attack.
This article has already been published on https://www.javelynn.com/cloud/the-password-heist-how-hackers-steal-passwords-and-what-you-can-do-to-stop-them/ and has been authorized by javelynn for a republish.
Top comments (1)
Indeed, the attack surface of passwords is pretty large. That's why I think the best is to get rid of them altogether. ;) There is a new browser protocol just for that called webauthn, a.k.a. passkeys. Instead of passwords, it relies on the local device authentication (like fingerprint, face recognition, swipe pattern, etc) and asymmetric cryptography. As a result, it is both more secure and more convinient. Check it out here: passwordless.id ;)