5 Ways Hackers Steal Your Passwords

5 Ways Hackers Steal Your Passwords

Southern Cal Telecom found this article on Sentinel One’s website and we couldn’t say it better ourselves, so we are sharing it with you.

Full Credit to Sentinel One for this entire article.

One way or another, passwords are always in the news. They’re either being stolen in data breaches, or mocked for being too simple; derided as pointless, or lamented for being technologically backward. No matter what opinion any of us have on passwords, though, one thing is indisputable: we’re going to be using them today, tomorrow and for the foreseeable future. Unlike touch or facial recognition technologies, passwords are used everywhere because they’re cheap to implement and simple to use. For end users, they are as low-tech as security tech ever gets. Of course, that ubiquity and simplicity is precisely what makes passwords attractive to thieves. In this post, we take a look at how hackers steal our passwords and what we can do to stop them.

1. Credential Stuffing

Risk Level: High

It is estimated that tens of millions of accounts are tested daily by hackers using credential stuffing.

What Is It?

Credential stuffing, also known as list cleaning and breach replay, is a means of testing databases or lists of stolen credentials – i.e., passwords and user names – against multiple accounts to see if there’s a match.

How Does It Work?

Sites with poor security are breached on a regular basis, and thieves actively target dumping user credentials from such sites so that they can sell them on the dark net or underground forums. As many users will use the same password across different sites, criminals have a statistically good chance of finding that user [email protected] has used the same password on [email protected]. Tools to automate the testing of a list of stolen credentials across multiple sites allow hackers to quickly breach new accounts even on sites that practice good security and password hygiene.

How Can You Stay Safe?

The key to not becoming a victim of credential stuffing is simple: every password for every site should be unique. Of course, that won’t prevent your password being stolen for one account on a site with poor security, but it does mean that any one compromise of your credentials will not affect you anywhere else on the internet. If you’re gasping at the thought of creating and remembering unique passwords for every site you use, see our Tips section near the end of the post.

2. Phishing

Risk Level: High

Over 70% of all cybercrimes begin with a phishing or spear-phishing attack. Hackers love to use phishing techniques to steal user credentials, either for their own use, or more commonly to sell to criminals on the dark net.

What Is It?

Phishing is a social engineering trick which attempts to trick users into supplying their credentials to what they believe is a genuine request from a legitimate site or vendor.

How Does It Work?

Typically, but not always, phishing occurs through emails that either contain fraudulent links to cloned websites or a malicious attachment. Somewhere along the chain of events that begins with the user taking the bait, the fraudsters will present a fake login form to steal the user’s login name and password. Fraudsters will also use some form of interception between a user and a genuine sign-in page, such as a man-in-the-middle attack to steal credentials.

How Can You Stay Safe?

Use 2-factor or multi-factor authentication. Although researchers have developed tricks to overcome these, in the wild cases are yet to be reported. Caution is your number one defense against phishing. Ignore requests to sign in to services from email links, and always go directly to the vendor’s site in your browser. Check emails that contain attachments carefully. The majority of phishing emails contain misspellings or other errors that are not difficult to find if you take a moment to inspect the message carefully.

3. Password Spraying

Risk Level: High

It’s been estimated that perhaps 16% of attacks on passwords come from password spraying attacks.

What Is It?

Password spraying is a technique that attempts to use a list of commonly used passwords against a user account name, such as 123456, password123, 1qaz2wsx, letmein, batman and others.

How Does It Work?

Somewhat like credential stuffing, the basic idea behind password spraying it to take a list of user accounts and test them against a list of passwords. The difference is that with credential stuffing, the passwords are all known passwords for particular users. Password spraying is more blunt. The fraudster has a list of usernames, but no idea of the actual password. Instead, each username is tested against a list of the most commonly used passwords. This may be the top 5, 10 or 100, depending on how much time and resources the attacker has. Most sites will detect repeated password attempts from the same IP, so the attacker needs to use multiple IPs to extend the number of passwords they can try before being detected.

How Can You Stay Safe?

Ensure your password is not in the list of top 100 most commonly used passwords.

4. Keylogging

Risk Level: Medium

Keylogging is often a technique used in targeted attacks, in which the hacker either knows the victim (spouse, colleague, relative) or is particularly interested in the victim (corporate or nation state espionage).

What Is It?

Keyloggers record the strokes you type on the keyboard and can be a particularly effective means of obtaining credentials for things like online bank accounts, crypto wallets and other logins with secure forms.

How Does It Work?

Keylogging is more difficult to pull off than Credential Stuffing, Phishing and Password Spraying because it first requires access to, or compromise of, the victim’s machine with keylogging malware. That said, there are lots of publicly available post-exploitation kits that offer attackers off-the-shelf keyloggers, as well as commercial spyware tools supposedly for parental or employee monitoring.

How Can You Stay Safe?

You need to be running a good security solution that can detect keylogging infections and activity. This is one of the few kinds of password theft techniques where the strength or uniqueness of your password really makes no difference. What counts is how well your endpoint is secured against infection, and whether your security software can also detect malicious activity if the malware finds a way past its protection features.

5. Brute Force

Risk Level: Low

Surprisingly not as prevalent as people tend to think, brute forcing passwords is difficult, time-consuming and expensive for criminals.

What Is It?

It’s the kind of thing that security researchers like to write about, or which you might see in TV shows: a hacker runs an algorithm against an encrypted password and in 3…2…1… the algorithm cracks the password and reveals it in plain text.

How Does It Work?

There are plenty of tools like “Aircrack-ng”, “John The Ripper”, and “DaveGrohl” that attempt to brute force passwords. There’s generally two kinds of cracking available. The first is some form of “dictionary” attack – so called because the attacker just tries every word in the dictionary as the password. Programs like those mentioned above can run through and test an entire dictionary in a matter of seconds. The other type of technique is used when the hacker has (through means of a data breach) acquired the hash of the plain-text password. Since these can’t be reversed, the aim is to hash as many plain-text passwords as possible and try to find a match. Rainbow tables exist which list the hashes of common passphrases to speed up this process.

One of the reasons why password cracking is not as viable a technique as some of the others we’ve mentioned is that encrypted passwords typically use a salt. This is some random data used in the encryption process that ensures no two plain-text passwords will produce the same hash. However, mistakes made by site administrators when using or storing salts and passwords can make it possible for some encrypted passwords to be cracked.

How Can You Stay Safe?

The key to staying safe from brute force attacks is to ensure you use passwords of sufficient length. Anything 16 characters or over should be sufficient given current technology, but ideally future-proof yourself by using a passphrase that is as long as the maximum allowed by the service that you’re signing up to. Avoid using any service that doesn’t let you create a password longer than 8 or 10 characters. Worried about how you’d remember a super long password? See the Tips section below.

Tips For Creating Strong, Unique Passwords

One of the main reasons why Credential Stuffing and Password Spraying are so successful is because people don’t like creating and remembering complex passwords. The good news – which really shouldn’t be news as it’s been true for quite some time – is that password managers will save you the effort. These are readily available and some browsers even have password suggestions built in. Of course, it’s true that these are not foolproof. They typically rely on a master password that, if compromised, exposes all the eggs in your single basket. However, the chances of being a victim of password theft if you use a password manager are significantly lower compared to if you don’t. We suggest the benefits of password managers hugely outweigh the risks, and we highly recommend them as a basic Security 101 practice.