24 Oct, 2019
How do hackers crack passwords? Check these common password-cracking techniques they use.
As an internet user using multiple services and websites — a login here, giving account access there — chances are your data might have been compromised. Here, check it yourself. If your data is breached, it’s probably floating on the dark web, and the first thing you should do is change it and create a new strong password. You don’t want any nefarious individuals to exploit your data. While if your account is still safe — well, congratulations.
However, whether your data is breached or not, educating yourself on cybersecurity and cybercrime can save you from a catastrophe. And that’s what we do here at Digital Private Vault — educate and spread awareness. Here, understand these password-cracking techniques to make sure it never happens to you.
In a brute-force attack, the attacker tries to crack the password by submitting various combinations until the correct one is found. The attacker uses software to make this process automated and run exhaustive combinations of passwords in significantly less amount of time. In the past few years, such software have been invigorated with the advancement in hardware and technology. In 2012, a password-cracking expert unveiled a computer cluster that can guess 350 billion combinations per second — and could crack any standard Windows password in less than 6 hours.
Now, that might make our flesh crawl but the good thing is this method is effective when it comes to guessing short passwords. As per NIST, 80-bit passwords are capable to resist the brute force attack. Thus, creating long passwords with phrases, numerics and values make it difficult and time-consuming to crack.
This password-cracking technique ‘dictionary attack’ gets its name for a reason. In this method, the hacker systematically enters every word in the dictionary to crack the password. This is a type of brute force attack but instead of submitting various combinations of symbols, numbers and words, this method only uses words that could be found in a dictionary.
The reason why this method can effectively crack the passwords is users’ negligence towards creating a strong password. UK’s National Cyber Security Centre (NCSC) conducted a survey to analyze the accounts whose passwords were compromised. And as per the survey these accounts used silly common passwords, person’s names, names of bands, names of football clubs and dictionary words.
So if you are using a dictionary word as a password to sign in, there are chances your account is prone to be compromised.
However, you can be immune to a dictionary attack by using a combination of random dictionary words — such as ‘GreenElephantTowerStone’. As well as it’s best to combine it with numbers and characters for higher complexity and better security.
When your passwords are stored on the server they are encrypted into meaningless strings of characters instead of storing as a plain text. This process is called hashing and it prevents your password from being misused. Whenever you enter your password to log in, it is converted into a hash value and compared with the previously stored one. And if the values match, you are logged into the system.
Now, since the passwords are converted into hashes, the hackers try to gain authentication by cracking the password hash. And they do it by using a Rainbow table — a list of pre-computed hashes of possible password combinations. The hackers can look up to the rainbow table to crack the hash resulting in cracking your password.
Thus, it finds password hash from the database and eliminates the need to crack it. And further, it doesn’t require to find the password itself. If the hash matches, the breach is successful.
Rainbow table attack can be prevented by using different techniques including salt technique — which is adding random data to the passwords before hashing it.
While the above password-cracking techniques use technical vulnerabilities, social engineering takes advantage of human errors and psychology. To put it simply social engineering is an act of manipulating the victim to gain confidential information such as bank information or passwords.
The reason why this method is quite prevalent among cybercriminals is that they know humans are the doorway to access the important credential and information. And through social engineering, they use tried and tested methods to exploit and manipulate ages-old human instincts, instead of finding new ways to break-in secure and advanced technology.
For example, it can be much easier to trick someone to share their password rather than trying to crack it. In fact, as per KnowBe4, a company providing security awareness training, 97% of the cybercriminals targets through Social Engineering.
Phishing is a type of social engineering used by cybercriminals to trick the users and acquire their sensitive information which is then used for cybercrimes such as financial breaches and data theft.
There are varied types of phishing — email spoofing, URL spoofing, website spoofing, smishing, vishing and more. The most common ones are done through email, phone and SMS.
In any of these types, the attacker masquerades as someone from a legit organization and creates a sense of curiosity, fear or urgency in the victims and tries to deceive them to provide sensitive information such as — identification information, financial and banking details, passwords and more.
An example can be a Phishing email informing the victim about a blocked credit card and creating a sense of urgency prompting you to login in to unblock it. Such email contains links to fake websites that resemble as legit but are used as a ploy. Once you click on the link and enter the credentials they now have access to it. So it’s essential to recognize and differentiate the illegitimate ones to save yourself from a Phishing catastrophe.
Some of the signs that you can recognize phishing are: too good to be true type of offers, generic email greeting, emails from unusual senders with hyperlinks and attachments, sweepstake, lottery, unrealistic or free prizes.
Hackers and cybercriminals are always on the hunt for new ways to crack your passwords and break-in. Thus, it’s essential to create strong and unique passwords for every account and store it securely. You can always use a vault app that makes the storing part easier. And it’s equally essential to stay alert about the scams and social engineering by educating yourself.