IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more
For many years, passwords were considered to be an acceptable form of protecting privacy when it came to the digital world. However, as cryptography and biometrics started to become more widely available, the flaws in this simple method of authentication became more noticeable.
It’s worth taking into account the role of a leaked password in one of the biggest cyber security stories of the last two years, the SolarWinds hack. It was revealed that ‘solarwinds123’, a password created and leaked by an intern, had been publicly accessible through a private GitHub repository since June 2018, enabling hackers to plan and carry out the massive supply chain attack.
Despite this, even if the password hadn’t been leaked, it wouldn’t have been hard for attackers to guess it. In the words of US politician Katie Porter, most parents utilise a stronger password to stop their children from “watching too much YouTube on their iPad”.
Passwords that are weak or easy to guess are more common than you might expect: recent findings from the NCSC found that around one in six people uses the names of their pets as their passwords, making them highly predictable. To make matters worse, these passwords tend to be reused across multiple sites, with one in three people (32%) having the same password to access different accounts.
It should come as no surprise that passwords are the worst nightmare of a cyber security expert. To remedy this issue, there are steps worth taking, like implementing robust multi-layer authentication. It is also worthwhile mitigating risks to consider the steps cyber criminals must take to hack your account and “know your enemy”. We’ve put together the top 12 password-cracking techniques used by attackers to enable you and your business to be better prepared.
Phishing is among the most common password-stealing techniques currently in use today and is often used for other types of cyber attacks. Rooted in social engineering tactics, its success is predicated on being able to deceive a victim with seemingly legitimate information while acting on malicious intent.
Businesses are highly aware of the widespread phishing attempts on their employees and often conduct phishing training exercises on them, both with explicit notice and on unwitting individuals. Usually carried out through email, success with phishing can also be achieved with other communication forms such as over SMS text messaging, known as ‘smishing’.
Phishing typically involves sending an email to a recipient while including as many elements within the email as possible to make it appear legitimate i.e. company signatures, correct spelling and grammar, and more sophisticated attacks recently attach onto existing email threads with phishing coming later in the attack chain.
From there, attackers will try and encourage the user into downloading and opening a malicious document or another type of file - usually malware - to achieve whatever the attacker wants. This could be stealing passwords, infecting them with ransomware, or even staying stealthily hidden in the victim’s environment to act as a backdoor for future attacks performed remotely.
Related Resource
The best defence against ransomware
How ransomware is evolving and how to defend against it
Computer literacy has increased over the years and many users are well trained in how to spot a phishing email. The telltale clues are now widely known, and people know when and how to report a suspicious email at work. Only the very best campaigns are genuinely convincing, like with the aforementioned email hijack campaigns.
The days of emails from supposed princes in Nigeria looking for an heir, or firms acting on behalf of wealthy deceased relatives, are few and far between these days, although you can still find the odd, wildly extravagant, claim here and there.
Our recent favourite is the case of the first Nigerian astronaut who is unfortunately lost in space and needs us to act as a man in the middle for a $3 million dollar transfer to the Russian Space Agency – which apparently does return flights.
Speaking of social engineering, this typically refers to the process of tricking users into believing the hacker is a legitimate agent. A common tactic is for hackers to call a victim and pose as technical support, asking for things like network access passwords in order to provide assistance. This can be just as effective if done in person, using a fake uniform and credentials, although that’s far less common these days.
Successful social engineering attacks can be incredibly convincing and highly lucrative, as was the case when the CEO of a UK-based energy company lost £201,000 to hackers after they tricked him with an AI tool that mimicked his assistant’s voice.
Keyloggers, screen scrapers, and a host of other malicious tools all fall under the umbrella of malware, malicious software designed to steal personal data. Alongside highly disruptive malicious software like ransomware, which attempts to block access to an entire system, there are also highly specialised malware families that target passwords specifically.
Keyloggers, and their ilk, record a user’s activity, whether that’s through keystrokes or screenshots, which is all then shared with a hacker. Some malware will even proactively hunt through a user’s system for password dictionaries or data associated with web browsers.
Brute force attacks refer to a number of different methods of hacking that all involve guessing passwords in order to access a system.
A simple example of a brute force attack would be a hacker simply guessing a person’s password based on relevant clues, however, they can be more sophisticated than that. Credential recycling, for example, relies on the fact that many people reuse their passwords, some of which will have been exposed by previous data breaches. Reverse brute force attacks involve hackers taking some of the most commonly used passwords and attempting to guess associated usernames.
Most brute force attacks employ some sort of automated processing, allowing vast quantities of passwords to be fed into a system.
The dictionary attack is a slightly more sophisticated example of a brute force attack.
This uses an automated process of feeding a list of commonly-used passwords and phrases into a computer system until something fits. Most dictionaries will be made up of credentials gained from previous hacks, although they will also contain the most common passwords and word combinations.
This technique takes advantage of the fact that many people will use memorable phrases as passwords, which are usually whole words stuck together. This is largely the reason why systems will urge the use of multiple character types when creating a password.
Where dictionary attacks use lists of all possible phrase and word combinations, mask attacks are far more specific in their scope, often refining guesses based on characters or numbers – usually founded in existing knowledge.
For example, if a hacker is aware that a password begins with a number, they will be able to tailor the mask to only try those types of passwords. Password length, the arrangement of characters, whether special characters are included, or how many times a single character is repeated are just some of the criteria that can be used to configure the mask.
The goal here is to drastically reduce the time it takes to crack a password, and remove any unnecessary processing.
Whenever a password is stored on a system, it’s typically encrypted using a ‘hash’, or a cryptographic alias, making it impossible to determine the original password without the corresponding hash. In order to bypass this, hackers maintain and share directories that record passwords and their corresponding hashes, often built from previous hacks, reducing the time it takes to break into a system (used in brute force attacks).
Rainbow tables go one step further, as rather than simply providing a password and its hash, these store a precompiled list of all possible plain text versions of encrypted passwords based on a hash algorithm. Hackers are then able to compare these listings with any encrypted passwords they discover in a company’s system.
Much of the computation is done before the attack takes place, making it far easier and quicker to launch an attack, compared to other methods. The downside for cyber criminals is that the sheer volume of possible combinations means rainbow tables can be enormous, often hundreds of gigabytes in size.
Network analysers are tools that allow hackers to monitor and intercept data packets sent over a network and lift the plain text passwords contained within.
Such an attack requires the use of malware or physical access to a network switch, but it can prove highly effective. It doesn’t rely on exploiting a system vulnerability or network bug, and as such is applicable to most internal networks. It’s also common to use network analysers as part of the first phase of an attack, followed up with brute force attacks.
Of course, businesses can use these same tools to scan their own networks, which can be especially useful for running diagnostics or for troubleshooting. Using a network analyser, admins can spot what information is being transmitted in plain text, and put policies in place to prevent this from happening.
The only way to prevent this attack is to secure the traffic by routing it through a VPN or something similar.
Spidering refers to the process of hackers getting to know their targets intimately in order to acquire credentials based on their activity. The process is very similar to techniques used in phishing and social engineering attacks, but involves a far greater amount of legwork on the part of the hacker - although it’s generally more successful as a result.
Related Resource
Vulnerability and patch management
Keep known vulnerabilities out of your IT infrastructure
How a hacker might use spidering will depend on the target. For example, if the target is a large company, hackers may attempt to source internal documentation, such as handbooks for new starters, in order to get a sense of the sort of platforms and security the target uses. It’s in these that you often find guides on how to access certain services, or notes on office Wi-Fi usage.
It’s often the case that companies will use passwords that relate to their business activity or branding in some way - mainly because it makes it easier for employees to remember. Hackers are able to exploit this by studying the products that a business creates in order to build a hitlist of possible word combinations, which can be used to support a brute force attack.
As is the case with many other techniques on this list, the process of spidering is normally supported by automation.
It’s important to remember that not all hacking takes place over an internet connection. In fact, most of the work takes place offline, particularly as most systems place limits on the number of guesses allowed before an account is locked.
Offline hacking usually involves the process of decrypting passwords by using a list of hashes likely taken from a recent data breach. Without the threat of detection or password form restrictions, hackers are able to take their time.
Of course, this can only be done once an initial attack has been successfully launched, whether that's a hacker gaining elevated privileges and accessing a database, by using a SQL injection attack, or by stumbling upon an unprotected server.
You might think the idea of someone looking over your shoulder to see your password is a product of Hollywood, but this is a genuine threat, even in 2020.
Brazen examples of this include hackers disguising themselves in order to gain access to company sites and, quite literally, look over the shoulders of employees to grab sensitive documents and passwords. Smaller businesses are perhaps most at risk of this, given that they’re unable to police their sites as effectively as a larger organisation.
Security experts recently warned of a vulnerability in the authentication process used by WhatsApp. Users trying to use WhatsApp on a new device must first enter a unique code that's sent via a text message, which can be used to restore a user's account and chat history from a backup. It was found that if a hacker was able to obtain a user's phone number, they are able to download the app to a clean device and issue a prompt for a new code, which, if they are in spying distance, they could copy as it arrives on the user's own device.
If all else fails, a hacker can always try and guess your password. While there are many password managers available that create strings that are impossible to guess, many users still rely on memorable phrases. These are often based on hobbies, pets, or family, much of which is often contained in the very profile pages that the password is trying to protect.
The best way to remove this as a potential avenue for criminals is to maintain password hygiene and make use of password managers, many of which are free.
Featured Resources
The 3D trends report
Presenting one of the most exciting frontiers in visual culture
The financial services survival guide
How uncertainty and disruption is forcing financial services to innovate
Building a better password strategy for your business
Exploring the strategies and exploits that hackers are using to circumvent password security measures
Market guide for web, product, and digital experience analytics
Analyse customer and user behaviour, digital product performance and usage patterns to improve the digital customer experience
Twitter bankruptcy ‘not out of the question’ as senior execs flee
Business strategy
Twitter bankruptcy ‘not out of the question’ as senior execs flee
11 Nov 2022
VMware brings XDR capabilities to Carbon Black in a push for lateral security
network security
VMware brings XDR capabilities to Carbon Black in a push for lateral security
9 Nov 2022