In-depth

The top 12 password-cracking techniques used by hackers

Some of the most common, and most effective, methods for stealing passwords

list of poor passwords on notepad

Passwords are the bane of any cyber security expert’s existence. They’re typically easy to crack, often reused and, in today’s era of biometrics and cryptography, are an antiquated way of protecting an account.

Unfortunately, it’s this ease of use that means passwords are still the primary method of user authentication, so it’s essential that we are all aware of the various methods that hackers use to try and gain access to this ‘secret’ code. After all, no matter how clever you think your password is, hackers will find a way to undermine it.

Advertisement - Article continues below

It’s worth noting that most of these hacking techniques are rendered useless in the face of robust multi-layer authentication.

12 password-cracking techniques used by hackers:

1. Phishing

Perhaps the most commonly-used hacking technique today, phishing involves using emails to trick an individual into clicking on an attachment or embedded link. This then triggers a download of malicious software or code, which can then allow the hacker to exfiltrate passwords through a variety of tools, or tricks the user into entering their login credentials into a bogus site. Usually, this process involves some element of social engineering, where messages can claim to be one-off payments from a long-lost relative, or even warnings from IT departments about supposed software updates.

Advertisement
Advertisement - Article continues below

Most recently we’ve seen a surge in the number of coronavirus-related phishing scams, as hackers seek to take advantage of the pandemic and public anxiety.

2. Social engineering

Speaking of social engineering, this typically refers to the process of tricking users into believing the hacker is a legitimate agent. A common tactic is for hackers to call a victim and pose as technical support, asking for things like network access passwords in order to provide assistance. This can be just as effective if done in person, using a fake uniform and credentials, although that’s far less common these days.

Advertisement - Article continues below

Successful social engineering attacks can be incredibly convincing and highly lucrative, as was the case when the CEO of a UK-based energy company lost £201,000 to hackers after they tricked him with an AI tool that mimicked his assistant’s voice.

3. Malware

Keyloggers, screen scrapers, and a host of other malicious tools all fall under the umbrella of malware, malicious software designed to steal personal data. Keyloggers, and their ilk, record a user’s activity, whether that’s through keystrokes or screenshots, which is all then shared with a hacker. Some malware will even proactively hunt through a user’s system for password dictionaries or data associated with web browsers.

4. Brute force attack

Brute force attacks refer to a number of different methods of hacking that all involve guessing passwords in order to access a system.

A simple example of a brute force attack would be a hacker simply guessing a person’s password based on relevant clues, however, they can be more sophisticated than that.

Credential recycling, for example, relies on the fact that many people reuse their passwords, some of which will have been exposed by previous data breaches. Reverse brute force attacks involve hackers taking some of the most commonly used passwords and attempting to guess associated usernames. Most brute force attacks employ some sort of automated processing, allowing vast quantities of passwords to be fed into a system.

5. Dictionary attack

The dictionary attack is a slightly more sophisticated example of a brute force attack. 

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

This uses an automated process of feeding a list of commonly-used passwords and phrases into a computer system until something fits. Most dictionaries will be made up of credentials gained from previous hacks, although they will also contain the most common passwords and word combinations. This takes advantage of the fact that many people will use memorable phrases as passwords, which are usually whole words stuck together. This is largely the reason why systems will urge the use of multiple character types when creating a password.

6. Mask attack

Where dictionary attacks use lists of all possible phrase and word combinations, mask attacks are far more specific in their scope, often refining guesses based on characters or numbers – usually founded in existing knowledge.

Related Resource

IT Pro 20/20: How regulation is shaping innovation

The fifth issue of IT Pro 20/20 looks at how new rules are forcing companies to change the way they do business

Download now

For example, if a hacker is aware that a password begins with a number, they will be able to tailor the mask to only try those types of passwords. Password length, the arrangement of characters, whether special characters are included, or how many times a single character is repeated are just some of the criteria that can be used to configure the mask.

Advertisement - Article continues below

The goal here is to drastically reduce the time it takes to crack a password, and remove any unnecessary processing.

7. Rainbow table attack

Whenever a password is stored on a system, it’s typically encrypted using a ‘hash’, or a cryptographic alias, making it impossible to determine the original password without the corresponding hash. In order to bypass this, hackers maintain and share directories that record passwords and their corresponding hashes, often built from previous hacks, reducing the time it takes to break into a system (used in brute force attacks).

Rainbow tables go one step further, as rather than simply providing a password and its hash, these store a precompiled list of all possible plain text versions of encrypted passwords based on a hash algorithm. Hackers are then able to compare these listings with any encrypted passwords they discover in a company’s system.

Advertisement
Advertisement - Article continues below

Much of the computation is done before the attack takes place, making the process much faster. The downside for cyber criminals is that the sheer volume of possible combinations means rainbow tables can be enormous, often hundreds of gigabytes in size.

8. Network analysers

Network analysers are tools that allow hackers to monitor and intercept data packets sent over a network and lift the plain text passwords contained within.

Advertisement - Article continues below

Such an attack requires the use of malware or physical access to a network switch, but it can prove highly effective. It doesn’t rely on exploiting a system vulnerability or network bug, and as such is applicable to most internal networks. It’s also common to use network analysers as part of a first phase, followed up with brute force attacks.

The only way to prevent this attack is to secure the traffic by routing it through a VPN or something similar.

9. Spidering

Spidering deploys very similar techniques to those used in social engineering-based attacks, such as phishing.

Spidering describes the process of a hacker getting to know their target, to the extent that they’re able to get credentials based on their activity. For example, many organisations use passwords that relate to their business in some way, such as those on its Wi-Fi networks or intranet. Hackers are able to study a business and the products it creates in order to build a list of possible word combinations, which can be used later in a brute force attack.

Advertisement - Article continues below

Like many entries on this list, this process is usually underpinned by automation.

10. Offline cracking

It’s important to remember that not all hacking takes place over an internet connection. In fact, most of the hacking work takes place offline, particularly as most systems place limits on the number of guesses allowed before an account is locked.

Offline hacking usually involves the process of decrypting passwords by using a list of hashes likely taken from a recent data breach. Without the threat of detection or password form restrictions, hackers are able to take their time.

11. Shoulder surfing

You might think the idea of someone looking over your shoulder to see your password is a product of Hollywood, but this is a genuine threat, even in 2020.

Brazen examples of this include hackers disguising themselves in order to gain access to company sites and, quite literally, look over the shoulders of employees or grab sensitive documents with potential passwords. Smaller businesses are perhaps most at risk of this, given that they’re unable to police their sites as effectively as a larger organisation.

12. Guess

If all else fails, a hacker can always try and guess your password. While there are many password managers available that create strings that are impossible to guess, many users still rely on memorable phrases. These are often based on hobbies, pets, or family, much of which is often contained in the very profile pages that the password is trying to protect.

Featured Resources

Navigating the new normal: A fast guide to remote working

A smooth transition will support operations for years to come

Download now

Putting a spotlight on cyber security

An examination of the current cyber security landscape

Download now

The economics of infrastructure scalability

Find the most cost-effective and least risky way to scale

Download now

IT operations overload hinders digital transformation

Clearing the path towards a modernised system of agreement

Download now
Advertisement
Advertisement

Recommended

Visit/security/ransomware/356292/university-of-california-gets-fleeced-by-hackers-for-114-million
ransomware

University of California gets fleeced by hackers for $1.14 million

30 Jun 2020
Visit/security/cyber-security/356289/australia-announces-135b-investment-in-cybersecurity
cyber security

Australia announces $1.35 billion investment in cyber security

30 Jun 2020
Visit/cloud/cloud-security/356288/csa-and-issa-form-cybersecurity-partnership
cloud security

CSA and ISSA form cyber security partnership

30 Jun 2020
Visit/business/policy-legislation/356215/senators-propose-a-bill-aimed-at-ending-warrant-proof-encryption
Policy & legislation

Senators propose a bill aimed at ending warrant-proof encryption

24 Jun 2020

Most Popular

Visit/laptops/29190/how-to-find-ram-speed-size-and-type
Laptops

How to find RAM speed, size and type

24 Jun 2020
Visit/policy-legislation/data-protection/356344/eu-institutions-warned-against-purchasing-any-further
data protection

EU institutions told to avoid Microsoft software after licence spat

3 Jul 2020
Visit/mobile/mobile-phones/356335/the-man-has-ruined-my-huawei-p40
Mobile Phones

The Man has ruined my Huawei P40

3 Jul 2020