How do hackers get your passwords? It's a rather simple question that, unsurprisingly, delivers a not-so-simple answer.
For many years passwords have been the go-to method of securing our digital lives, helping us stay secure and access vital services and the various platforms we use.
It’s for this very reason that cyber criminals dedicate so much time to stealing those credentials. Passwords are the keys to our digital castles, and if compromised could lead a hacker to troves of data such as banking details, client records, and more.
However, as cryptography and biometrics started to become more widely available, the flaws in this simple method of authentication became more noticeable.
It’s worth taking into account the role of a leaked password in one of the biggest cyber security stories of recent times, the SolarWinds hack.
It was revealed that ‘solarwinds123’, a password created and leaked by an intern, had been publicly accessible through a private GitHub repository since June 2018, enabling hackers to plan and carry out the massive supply chain attack.
Even if the password wasn't leaked and made publicly available, it wouldn't take long for a hacker to break past the security, or even guess the password outright. As US politician Katie Porter said at the time, most parents are using stronger passwords to stop their children from "watching too much YouTube on their iPad".
These types of weak passwords are not uncommon. Analysis from the UK’s National Cyber Security Centre (NCSC) found that around one in six people use the names of their pets as passwords, with one in three people also using the same password across multiple websites and accounts.
How do hackers get your passwords?
Cyber criminals employ a varied range of techniques and tools to steal your passwords. These can be as simple as a malicious email link, nefarious ‘social engineering’ techniques, or more sophisticated methods.
There is no one-size-fits-all practice among cyber criminals in this regard, meaning that you must be on guard, remain vigilant, and ensure that you're using strong, varied password combinations across all of your accounts.
To help illustrate what a strong password might look like, we’ve put together the top 12 password-cracking techniques used by attackers, which will enable you and your business to be better prepared against possible attacks.
Phishing is among the most common password-stealing techniques currently in use today and is often used for other types of cyber attacks. Rooted in social engineering tactics, its success is predicated on being able to deceive a victim with seemingly legitimate information while acting on malicious intent.
Businesses are highly aware of the widespread phishing attempts on their employees and often conduct internal phishing tests, both with explicit notice and on unwitting individuals. Usually carried out through email, success with phishing can also be achieved with other communication forms such as over SMS text messaging, known as ‘smishing’.
Phishing usually involves the sending of an email to a recipient with the intent of tricking that person into clicking on a malicious link or downloading malware.
In many cases, spelling errors or unusual formatting will be a clear indication something is wrong, however the most sophisticated attacks will make every effort to appear legitimate. In some rare cases, you may even see attacks joining existing email threads.
From there, attackers will try and encourage the user into downloading and opening a malicious document or another type of file - usually malware - as part of a wider attempt to steal data. This could be stealing passwords, infecting a user with ransomware, or even creating a hidden backdoor in the victim’s environment to facilitate future attacks.
This could be stealing passwords, infecting a user with ransomware, or even creating a hidden backdoor in the victim’s environment to facilitate future attacks.
The long road ahead to ransomware preparedness
Getting to the bigger truth
Computer literacy has increased over the years and many users are well trained in how to spot a phishing email. The tell-tale clues are now widely known, and people know when and how to report a suspicious email at work. Only the very best campaigns are genuinely convincing, like with the aforementioned email hijack campaigns.
Emails from supposed princes in Nigeria looking for an heir, or firms acting on behalf of wealthy deceased relatives, are few and far between these days, although you can still find the odd, wildly extravagant, claim here and there.
Our recent favorite is the case of the first Nigerian astronaut who is unfortunately lost in space and needs us to act as a middle man for a $3 million dollar transfer to the Russian Space Agency – which apparently does return flights.
2. Social engineering
Speaking of social engineering, this typically refers to the process of tricking users into believing the hacker is a legitimate agent. A common tactic is for hackers to call a victim and pose as technical support, asking for things like network access passwords in order to provide assistance.
This can be just as effective if done in person, using a fake uniform and credentials, although that’s far less common these days.
Successful social engineering attacks can be incredibly convincing and highly lucrative, as was the case when the CEO of a UK-based energy company lost £201,000 to hackers after they tricked him with an AI tool that mimicked his assistant’s voice.
Keyloggers, screen scrapers, and a host of other malicious tools all fall under the umbrella of malware, malicious software designed to steal personal data.
Alongside highly disruptive malicious software like ransomware, which attempts to block access to an entire system, there are also highly specialized malware families that target passwords specifically.
Keyloggers, and their ilk, are some of the most affective tools hackers can use to gain access to passwords. These will record a user’s activity, whether that’s through keystrokes or screenshots, that is all then shared with a hacker. Some malware will even proactively hunt through a user’s system for password dictionaries or data associated with web browsers.
4. Brute force attack
Brute force attack is somewhat of an umbrella term referring to a variety of relatively unsophisticated methods that often rely on trial-and-error.
A brute force attack can often take the form of an attacker making educated guesses. For example, the username may already be known and the attacker may even know the victim personally, so guesses related to known birth dates, favorite sports teams, and family members’ names could all provide clues to the correct password, such as LiverpoolFC97.
They are somewhat similar to dictionary attacks (explained below) but often lack the associated sophistication, automation, and computational complexity.
5. Dictionary attack
Dictionary attacks are similar to brute force methods but involve hackers running automated scripts that take lists of known usernames and passwords and put them against a login system sequentially.
It means every username would have to be checked against every possible password before the next username could be attempted against every possible password.
The method is computationally demanding and as a result, often quite time-consuming. With the strongest password encryption standards, the time to conduct a dictionary attack increases often to an untenable level.
There are fears that the advent of quantum computing may render passwords useless given the computational power they possess, and even consumer-grade equipment is threatening the password too. Nvidia’s RTX 4090 GPU, for example, has been shown to take under an hour to crack every single eight-character password when running eight of them in tandem.
This is around 200 billion different possibilities, including different letter capitalizations, symbols, and numbers placed in different orders in the password.
6. Mask attack
Where dictionary attacks use lists of all possible phrase and word combinations, mask attacks are far more specific in their scope, often refining guesses based on characters or numbers – usually founded in existing knowledge.
For example, if a hacker is aware that a password begins with a number, they will be able to tailor the mask to only try those types of passwords. Password length, the arrangement of characters, whether special characters are included, or how many times a single character is repeated are just some of the criteria that can be used to configure the mask.
The goal here is to drastically reduce the time it takes to crack a password, and remove any unnecessary processing.
7. Rainbow table attack
Whenever a password is stored on a system, it’s typically encrypted using a ‘hash’, or a cryptographic alias, making it impossible to determine the original password without the corresponding hash.
In order to bypass this, hackers maintain and share directories that record passwords and their corresponding hashes, often built from previous hacks, reducing the time it takes to break into a system (used in brute force attacks).
Rainbow tables go one step further, as rather than simply providing a password and its hash, these store a precompiled list of all possible plaintext versions of encrypted passwords based on a hash algorithm. Hackers are then able to compare these listings with any encrypted passwords they discover in a company’s system.
Much of the computation is done before the attack takes place, making it far easier and quicker to launch an attack, compared to other methods. The downside for cyber criminals is that the sheer volume of possible combinations means rainbow tables can be enormous, often hundreds of gigabytes in size.
8. Network analysers
Network analyzers are tools that allow hackers to monitor and intercept data packets sent over a network and lift the plain text passwords contained within.
Such an attack requires the use of malware or physical access to a network switch, but it can prove highly effective. It doesn’t rely on exploiting a system vulnerability or network bug, and as such is applicable to most internal networks. It’s also common to use network analyzers as part of the first phase of an attack, followed up with brute force attacks.
Of course, businesses can use these same tools to scan their own networks, which can be especially useful for running diagnostics or for troubleshooting. Using a network analyzer, admins can spot what information is being transmitted in plain text, and put policies in place to prevent this from happening.
The only way to prevent this attack is to secure the traffic by routing it through a VPN or something similar.
The long road ahead to ransomware preparedness
Getting to the bigger truth
'Spidering' refers to the process of hackers getting to know their targets intimately in order to acquire credentials based on their activity. The process is very similar to techniques used in phishing and social engineering attacks, but involves a far greater amount of legwork on the part of the hacker - although it’s generally more successful as a result.
How a hacker might use spidering will depend on the target. For example, if the target is a large company, hackers may attempt to source internal documentation, such as handbooks for new starters, in order to get a sense of the sort of platforms and security the target uses.
It’s in these that you often find guides on how to access certain services, or notes on office Wi-Fi usage.
It’s often the case that companies will use passwords that relate to their business activity or branding in some way - mainly because it makes it easier for employees to remember. Hackers are able to exploit this by studying the products that a business creates in order to build a hitlist of possible word combinations, which can be used to support a brute force attack.
As is the case with many other techniques on this list, the process of spidering is normally supported by automation.
10. Offline cracking
It’s important to remember that not all hacking takes place over an internet connection. In fact, most of the work takes place offline, particularly as most systems place limits on the number of guesses allowed before an account is locked.
Offline hacking usually involves the process of decrypting passwords by using a list of hashes likely taken from a recent data breach. Without the threat of detection or password form restrictions, hackers are able to take their time.
Of course, this can only be done once an initial attack has been successfully launched, whether that's a hacker gaining elevated privileges and accessing a database, by using a SQL injection attack, or by stumbling upon an unprotected server.
11. Shoulder surfing
Far from the most technically complex method in this list, shoulder surfing is one of the most rudimentary but effective techniques available to hackers, given the right context and target.
Somewhat self-explanatory, shoulder surfing simply sees hackers peering over the shoulder of a potential target, looking to visually track keystrokes when entering passwords. This could take place in any public space like a coffee shop, or even on public transport such as a flight.
An employee may be accessing in-flight internet to complete a task before landing and the hacker could be sitting nearby, watching for an opportunity to note down a password to an email account, for example.
If you work from public places on a regular or even semi-regular basis, it is worth considering using a device fitted with technology to prevent prying eyes from seeing what’s on the display.
HP’s EliteBooks, for example, often come with the option to configure a device with a Sure View privacy screen, for example. Other third-party options are also available from online retailers that can simply be placed over most laptop displays, and they’re affordable too.
If all else fails, a hacker can always try and guess your password. While there are many password managers available that create strings that are impossible to guess, many users still rely on memorable phrases. These are often based on hobbies, pets, or family, much of which is often contained in the very profile pages that the password is trying to protect.
How to protect your password from hackers
The best way to nullify many of the techniques listed here is to maintain effective password hygiene. What constitutes a strong password can vary depending on who you speak to, but we recommend making the password as complicated as possible, using a variety of numbers, letters of different cases, and characters.
What is just as important as the code itself is the discipline to use different passwords for each account you own. No matter how strong a password is, a data breach will put your account at risk, and therefore any other accounts that utilise that password.
Naturally, remembering even just a small number of complicated passwords will be a challenge, and so we recommend making use of a password manager. Many of these are free, or are bundled as part of cyber security packages, and can be rolled out across a business as a standard practice.
Get the ITPro. daily newsletter
Receive our latest news, industry updates, featured resources and more. Sign up today to receive our FREE report on AI cyber crime & security - newly updated for 2023.
Dale Walker is the Managing Editor of ITPro, and its sibling sites CloudPro and ChannelPro. Dale has a keen interest in IT regulations, data protection, and cyber security. He spent a number of years reporting for ITPro from numerous domestic and international events, including IBM, Red Hat, Google, and has been a regular reporter for Microsoft's various yearly showcases, including Ignite.