receives compensation from some of the companies listed on this page. Advertising Disclosure


How Crooks Hack Passwords and How You Can Protect Your Business

David Balaban

The use of traditional passwords is a slippery slope for companies these days.

The use of traditional passwords is a slippery slope for companies these days. A much more reasonable approach is to safeguard proprietary data via things like multifactor authentication, single sign-on services or biometrics. According to security researchers' recent findings, the majority of data breaches that occurred in 2017 revolved around stolen or weak access credentials.

Let's dissect the most common password cracking methods that online perpetrators leverage to hack companies and individuals.

Compromising hashed password files

When cybercriminals obtain an organization's passwords, it's most likely because they were able to steal the password file. There are companies that keep password lists in plaintext form. A more secure tactic is to store password files in hashed form. However, neither technique does the trick reliably enough nowadays.

In a nutshell, password hashing denotes a mechanism of one-way transformation of a password that cannot be reversed to obtain the original string. When an employee tries to log in with their regular password, the authentication module automatically transforms it to hashed form and compares the string against the value stored in the database. If these values match, the login is successful.

Threat actors who gain access to a hashed password file can leverage so-called "rainbow tables" to reverse the hash functions. Since this type of activity requires significant computation power, hackers can use specially crafted password cracking hardware, engage a botnet or rent space from cloud providers.

Furthermore, there are services on the dark web that allow perpetrators to outsource the data processing task. In this case, they can rent the service for a specified amount of time and even get tech support.

Ultimately, any password can be cracked as long as the attackers have time and sufficient resources on their hands. The only question is how long it takes. It's usually a matter of days or even hours, not years as it used to be.

This applies to virtually any password created by a human. Computer-generated passwords tend to be more difficult to crack this way, but they are still less secure to use than multifactor authentication.

A particularly disconcerting element in a scenario with stolen password hashes is that the whole processing and cracking routine is performed on the malefactor's machine. The attacker doesn't need to interact with the target company's infrastructure along the way; therefore, no red flags will be raised. Thousands of passwords can be cracked in hours as long as the crook's computer has enough processing power.

Large-scale attacks using botnets

Cybercriminals can employ botnets to compromise big online services. This technique allows them to try numerous different combinations of common usernames and passwords or ones obtained from dumps of credentials that occur regularly. These lists can be purchased on the dark web at a low cost. They usually originate from database breaches, such as the notorious Yahoo email hack that compromised billions of accounts.

Let's imagine a scenario where a threat actor wants to access email accounts. Attempts to log into the same account multiple times will generate alerts. To circumvent these security measures, the attacker starts with a list of leaked email addresses and a list of the most frequently used passwords. Then they try to get into each one of those email accounts with one of the most common passwords, generating only one failure per account. A few days later, they try another common password for every email address. By using a botnet for this purpose, the crooks make it look like the login attempts come from different sources.

A good response to this attack vector is two-factor authentication, where you receive a secret code that you need to enter every time you try to log in. Sophisticated technologies like facial recognition and behavioral biometrics are tasked with addressing the issue as well. The use of third-party authentication services like Google or Facebook is another good practice that additionally minimizes the number of passwords you have to remember.

Do criminals already have your password?

When cybercrooks zero in on a person, their starting point is to check whether that individual's login credentials have already been stolen from other services. If so, chances are the same password is used for the account being targeted.

Most users have tens or even hundreds of different online accounts. It is too hard to remember passwords for all those accounts; therefore, people tend to use only a couple of passwords, with some minor variations.

Some people think they are completely secure if they have one very complex password and use it for all their accounts. That's a delusion. In case hackers get that password, all of your information is at risk. It doesn't matter how strong the password is if you reuse it. By the way, there are online resources that allow you to learn whether any of your password-protected accounts have been breached in the past.

Incidents in which hackers use malware and steal the password for one's email account are particularly detrimental. This way, the black hats can log in and reset passwords for other services the victim uses. Also, if a website or in-house enterprise service has no limitation regarding login attempts, they can brute-force the password via a dictionary attack or cracking solutions like Hashcat, Mimikatz, or John the Ripper. When going after a high-profile target, the crooks can conduct some OSINT (open source intelligence) to figure out the likely answers to security questions accompanying password recovery.

Passwords created by humans, regardless of their complexity, happen to be low-hanging fruit for hackers. The technologies for cracking them have advanced significantly over time, whereas people remain predictable enough to generate crackable passwords. That's a paradigm where attackers win and users lose.

Is your password strong enough?

Unfortunately, most online services follow password strength practices that are way out of date. Their requirements usually boil down to the length of eight characters or more and a mandatory combination of symbols, numbers, and uppercase and lowercase letters. It may take a computer minutes or even seconds to crack a password that meets these criteria alone.

All of this poses a serious challenge to end users and service providers. It's too hard for the average person to create dozens of unique, long passwords for websites they use, change them regularly and remember all of them.

It is recommended to use the longest possible passwords that online services allow and leverage a reputable password management solution to store them. Furthermore, you should safeguard the vault with a master passphrase that's about 30 characters long. Make sure it's not a quote from a novel or anything that can be found on the internet. Importantly, all of your passwords should be generated randomly and make little sense, or no sense at all. If you can remember it and tell it to someone, it's not a good password.

Image Credit: Portrait Images Asia by Nonwarit/Shutterstock
David Balaban Member
David Balaban is a computer security researcher with over 10 years of experience in malware analysis and antivirus software evaluation. David runs the project which presents expert opinions on the contemporary information security matters, including social engineering, penetration testing, threat intelligence, online privacy and white hat hacking. As part of his work at Privacy-PC, Mr. Balaban has interviewed such security celebrities as Dave Kennedy, Jay Jacobs and Robert David Steele to get firsthand perspectives on hot InfoSec issues. David has a strong malware troubleshooting background, with the recent focus on ransomware countermeasures.